CA2391996C - Transfer of security association during a mobile terminal handover - Google Patents
Transfer of security association during a mobile terminal handover Download PDFInfo
- Publication number
- CA2391996C CA2391996C CA002391996A CA2391996A CA2391996C CA 2391996 C CA2391996 C CA 2391996C CA 002391996 A CA002391996 A CA 002391996A CA 2391996 A CA2391996 A CA 2391996A CA 2391996 C CA2391996 C CA 2391996C
- Authority
- CA
- Canada
- Prior art keywords
- access
- point
- mobile
- communication
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H04W12/043—Key management, e.g. using generic bootstrapping architecture [GBA] using a trusted network node as an anchor
- H04W12/0433—Key management protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0869—Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W36/00—Hand-off or reselection arrangements
- H04W36/0005—Control or signalling for completing the hand-off
- H04W36/0011—Control or signalling for completing the hand-off for data sessions of end-to-end connection
- H04W36/0033—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
- H04W36/0038—Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W84/00—Network topologies
- H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
- H04W84/10—Small scale networks; Flat hierarchical networks
- H04W84/12—WLAN [Wireless Local Area Networks]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
- Small-Scale Networks (AREA)
- Alarm Systems (AREA)
- Transceivers (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
An existing security association is re-established when a communication handover event occurs in a radio communications system such as IEEE 082.11 or a HIPERLAN wherein the existing security association between a mobile terminal and a wireless communication network is maintained when the communication handover occurs within the network. Authentication during a handover event is achieved by a challenge/response procedure. In accordance with the challenge/response procedure each member of a communication pair that is made up of a new access point and the mobile terminal that is experiencing a handover to the new access point sends a challenge to the other member of the communication pair. Each member of the communication pair then calculates a response to its received challenge, and these responses are sent back to the other member of the communication pair. Each member of the communication pair then compares its received response to a correct response. When these comparisons are correct, payload communication begins between the second access point and the mobile terminal.
Description
TRANSFER OF SECURITY ASSOCIATION DURING A MOBILE
TERMINAL HANDOVER
FIELD OF THE INVENTION
This invention relates to radio communications systems of which a wireless local area network (WLAN) is a non-limiting example. More specifically this invention relates to providing information security when a mobile terminal is handed-over from a first base station or access point (AP) to a second base station or access point (AP).
BACKGROUND OF THE INVENTION
In a minimum configuration, a communication system is formed by a transmitting station and a receiving station that are interconnected by a communication channel. Communication signals generated by the transmitting station are transmitted upon the communication channel and received by the receiving station.
In a radio communication system at least a portion of the communication channel is formed by a portion of the electromagnetic spectrum. Increased mobility of communications is permitted in a radio communication system because a fixed or a hard-wired connection is not required between the transmitting and receiving stations.
A cellular communication system, of which a cellular telephone system is an example, is an example of a radio communication system. When the mobile terminal of a subscriber to a cellular communication system is physically positioned at almost any location throughout an area that is encompassed by the network infrastructure of the cellular communication system, the mobile terminal is able to communicate by way of the cellular communication system CONFIRMATION COPY
TERMINAL HANDOVER
FIELD OF THE INVENTION
This invention relates to radio communications systems of which a wireless local area network (WLAN) is a non-limiting example. More specifically this invention relates to providing information security when a mobile terminal is handed-over from a first base station or access point (AP) to a second base station or access point (AP).
BACKGROUND OF THE INVENTION
In a minimum configuration, a communication system is formed by a transmitting station and a receiving station that are interconnected by a communication channel. Communication signals generated by the transmitting station are transmitted upon the communication channel and received by the receiving station.
In a radio communication system at least a portion of the communication channel is formed by a portion of the electromagnetic spectrum. Increased mobility of communications is permitted in a radio communication system because a fixed or a hard-wired connection is not required between the transmitting and receiving stations.
A cellular communication system, of which a cellular telephone system is an example, is an example of a radio communication system. When the mobile terminal of a subscriber to a cellular communication system is physically positioned at almost any location throughout an area that is encompassed by the network infrastructure of the cellular communication system, the mobile terminal is able to communicate by way of the cellular communication system CONFIRMATION COPY
2 with another mobile terminal.
The network infrastructure of an exemplary wireless communication system includes physically spaced-apart base stations or access points (APs) which each include a transceiver. In such an exemplary system, each base station or AP defines a geographic area or cell of the comniunications system. As a first mobile terminal is used to communicate with a second niobile terminal, and as the first niobile terminal travels or moves between the cells of the system, uninterrupted communication is possible by handing-over communications from one base station to another base station. Such a coinmunication handover is provided by a handover process.
A High Performance radio Local Area Network such as HIPERLAN type-2 supports three kinds of handover. HIPERLAN/2 provides high speed.
(typically 25 Mb/s data rate) communications between portable devices and broadband IP, ATM and UMTS networks, and is capable of supporting multiple media applications, with the typical application being indoors.
HIPERLAN/2 provides local wireless access to different infrastructure networks (e.g. IP, ATM and UMTS) by moving and stationary terminals that interact with access points which, in turn, usually are connected to an IP, ATM, or UMTS backbone. A number of access points are required to service the network. The wireless network as a whole supports handovers of connections between access points to provide mobility. Typical operating environments include business networks and domestic premises networks. An overview of HIPERLAN112 access networks is provided by the European Telecommunications Standards Institute (ETSI) docunient DTR/BRAN-00230002, I998.
Depending upon the mobile terminal's handover decision, sector handover (inter-sector), radio handover (inter access point transceiver/inter access point
The network infrastructure of an exemplary wireless communication system includes physically spaced-apart base stations or access points (APs) which each include a transceiver. In such an exemplary system, each base station or AP defines a geographic area or cell of the comniunications system. As a first mobile terminal is used to communicate with a second niobile terminal, and as the first niobile terminal travels or moves between the cells of the system, uninterrupted communication is possible by handing-over communications from one base station to another base station. Such a coinmunication handover is provided by a handover process.
A High Performance radio Local Area Network such as HIPERLAN type-2 supports three kinds of handover. HIPERLAN/2 provides high speed.
(typically 25 Mb/s data rate) communications between portable devices and broadband IP, ATM and UMTS networks, and is capable of supporting multiple media applications, with the typical application being indoors.
HIPERLAN/2 provides local wireless access to different infrastructure networks (e.g. IP, ATM and UMTS) by moving and stationary terminals that interact with access points which, in turn, usually are connected to an IP, ATM, or UMTS backbone. A number of access points are required to service the network. The wireless network as a whole supports handovers of connections between access points to provide mobility. Typical operating environments include business networks and domestic premises networks. An overview of HIPERLAN112 access networks is provided by the European Telecommunications Standards Institute (ETSI) docunient DTR/BRAN-00230002, I998.
Depending upon the mobile terminal's handover decision, sector handover (inter-sector), radio handover (inter access point transceiver/inter access point
3 handover), network handover (inter access point/inter network handover) or forced handover may occur in accordance with HIPERLAN/2.
Prior to the execution of a handover, the mobile terminal must gather relevant measurements on the frequency that is used by the current access point, as well as on the frequencies that are used by access points that are candidates for a handover. Measurements on the serving frequency can be carried out by the mobile terminal while it is synchronized to the current access point.
However, in order to measure the frequency of neighboring access points, the mobile terminal must be temporarily absent from the current access point.
During a mobile terminal absent procedure the mobile terminal is temporarily disconnected from the current access point, in order that the mobile terminal can perform measurements on neighboring access points. During this time, no communication between the mobile terminal and the current access point is possible. As part of this absent procedure, the mobile terminal tells the current access point that it will be absent for n-frames. During this absent period, the mobile terminal cannot be reached by the current access point.
After the absent period, the current access point may trigger a mobile terminal alive sequence to check if the mobile terminal is available.
During a sector handover the antenna sectoi- of the access point is changed, and the same access point controls the entire handover. After a successful sector handover, the mobile terminal communicates via the new sector.
A radio handover relates to access points having more than one transceiver per access point, for example two access point transceivers and one access point controller. Radio handover is performed when a mobile terminal moves from a coverage area of one access point to another coverage area that is served by the same access point. Since radio handover can be performed within the data link control (DLC) layer, higher layer protocols (HL) are not
Prior to the execution of a handover, the mobile terminal must gather relevant measurements on the frequency that is used by the current access point, as well as on the frequencies that are used by access points that are candidates for a handover. Measurements on the serving frequency can be carried out by the mobile terminal while it is synchronized to the current access point.
However, in order to measure the frequency of neighboring access points, the mobile terminal must be temporarily absent from the current access point.
During a mobile terminal absent procedure the mobile terminal is temporarily disconnected from the current access point, in order that the mobile terminal can perform measurements on neighboring access points. During this time, no communication between the mobile terminal and the current access point is possible. As part of this absent procedure, the mobile terminal tells the current access point that it will be absent for n-frames. During this absent period, the mobile terminal cannot be reached by the current access point.
After the absent period, the current access point may trigger a mobile terminal alive sequence to check if the mobile terminal is available.
During a sector handover the antenna sectoi- of the access point is changed, and the same access point controls the entire handover. After a successful sector handover, the mobile terminal communicates via the new sector.
A radio handover relates to access points having more than one transceiver per access point, for example two access point transceivers and one access point controller. Radio handover is performed when a mobile terminal moves from a coverage area of one access point to another coverage area that is served by the same access point. Since radio handover can be performed within the data link control (DLC) layer, higher layer protocols (HL) are not
4 involved. When the mobile terminal detects the need for a handover to another access point controller, the mobile terminal may still synchronize to the current access point. In this case the mobile terminal may notify its access point controller that the mobile terminal will perform a handover to another access point controller. In the case of a radio handover all relevant information about on-going connections, security parameters, etc. are available in the access point, so that this information is not re-negotiated.
A network handover is carried out when a mobile terminal moves from one access point to another access point. Since the mobile terminal leaves the serving area of a radio control link (RLC) instance, a network handover involves the convergence layer (CL) and the HL (as may be needed), as well as DLCI. To maintain HL association and connections, specific signaling via the backbone may be needed. When the mobile terminal detects the need for handover to another (target) access point, the mobile terminal may still be synchronized to the current access point. In this case, the mobile terminal may notify the current access point that it will perform a handover to another access point. The notified access point shall then stop transmitting to that mobile terminal, but shall maintain association for a specified time, when indicated.
Forced handover gives a current access point the opportunity to order a certain mobile terminal to leave the current access point's cell. A forced handover is initiated by the access point sending a Force_Handover signal to the mobile terminal. In one procedure the mobile terminal performs a normal handover and leaves its old cell, regardless of whether it finds a new cell.
In a second procedure the mobile tei-minal llas the opportunity to come back to the old access point if handover fails.
For further discussion of HIPLERLAN/2 features see the Broadband Radio Access Networks (BRAN); HIPERLAN type 2 Functional Specification;
Radio Link Control (RLC) that are provided by the ETSI standardization organization.
Several types of wireless communication systems have been inlplemented.
and others have been proposed, to enconipass limited geographic areas, for example a limited area that is encompassed by a building or by an office workplace within a building. Wireless communication systems such as microcellular networks, private networks, and WLANs are exemplary of such systems.
Wireless communication systems are typically constructed pursuant to standards that are promulgated by a regulatory or a quasi-regulatory body.
For instance, the IEEE 802.11 standard promulgated by the IEEE (Institute of Electrical and Electronic Engineering) is a wireless local area network (LAN) standard pertaining generally to the commercial 2.4 GHz wireless LAN. The 802.11 standard specifies an interface between a wireless terminal and a base station or access point, as well as amonr wireless terminals. Standards - pertaining to a physical layer and a media access control (MAC) layer are set forth in such a standard. This standard permits automatic medium sharing between different devices that include compatible physical layers.
Asynchronous data transfer is provided for in the standard, generally by way of the MAC layer, utilizing a carrier sense multiple access with collision avoidance (CSMA/CA) communication scheme.
While the IEEE 802.11 standard provides for wireless communications through the use of mobile terminals that are constructed to be mutually operable pursuant to such a standard, the standard does not adequately provide for real time wireless services. For instance. in an implementation of the standard a significant loss of quality is sonietimes experienced dttrin"
handover of communications from one AP to another AP. Excessive numbers of data frames are susceptible to being lost or delayed. resulting in the loss of' communication quality, or even termination ot' communications.
Operational modes different than that set f'orth in the IEEE 802.1 1 standard are therefore required, particularly for real time wireless services.
Proprietary functions have been proposed which permit improved quality of' comnlunications as compared to operation pursuant to the existing IEEE
802.11 standard. APs and mobile terminals that are operable to perform such proprietary functions are referred to as being proprietary mode capable.
However, both ends of a communication pair. consisting of a mobile terminal and the AP through which the mobile terminal comniunicates, must be capable of operation in the proprietary niode. I f both ends of the communication pair are not together operable pursuant to the proprietary mode, conventional operation pursuant to the IEEE 802.11 standard is required. Therefore, prior to permitting both ends of the communication pair to operate in the proprietary mode, a determination must be made of the ability of both ends of the communication pair together to be operable pursuant to the proprietary mode.
An apparatus has been considered that is operable to identify whether both ends of the communication pair are together operable in the proprietary mode, the apparatus operating to activate both ends of the communication pair to operate in the 15 proprietary mode when it is determined that pair-compatibility exits, and the apparatus thereafter operating to maintain the proprietary mode operation during handover procedures should a mobile terminal physically move from a cell that is serviced by a first AP to a cell that is served by a second AP.
In addition to the valuable features that are provided by the apparatus, it would be desirable to re-establish a security association as such an AP-to-AP
handover occurs.
~ Manv customers, and particularly business znvironments, require a high deuree of data security, and this data security cannot be compromised by use of a WLAN installation. Since access to the WLAN cannot be restricted physically, it is customary to use crytographical methods to protect transmitted data and network elenients. Current IEEE 802.11 and ITEF
Internet standards offer two complenlentarv mechanisms lor providing secure data communications over a wireless link. i.e. lnternet Protocol Security (IPSEC). IPSEC is an IP-based security protocol that provides FOR secure communication between two IP hosts. A common use ot'the IPSEC protocol is in the building of Virtual Private Networks (VPNs).
In WLAN systems the IPsec protocol can be used to provide end-to-end security for data packets, this security being provided by authenticatinn, and/or encrypting the transmitted data packets. IPsec uses symmetric cryptography that requires use of the same encr,yption aiid/or authentication key at both ends of a communication link. Sealable key management protocols such as IKE can be used to ~enerate the symmetric keys for an IPsec stack.
While the Internet Key Exchange (IKE) kev manacement protocol is useful for the establishment of an IP level security association durinu an initial mobile-terminal/access-point association. when the need for a comniunication handover occurs, the use of IKE or other similar pi=otocois inflicts a considerable time delay on accomplishing the handover since stich protocols require the exchange of multiple messages, and their use of public key encryption requires very heavy coniputation. Since a liandover of the payload traffic can be resumed only after an active security association has been established between the new-AP and the mobile terminal, the use of the IKE
key management protocol or other such protocols presents problems during the handover.
When any security protocol with a dynanlic encryption key, i.e. a session-dependent dynamic key, is applied between a mobile terminal and an AP, it is desirable to find a mechanism for the transfer of an active security association from one AP to another AP, as the mobile terniinal moves within the coverage that is provided by the wireless radio network or system.
It is in light of this background information that the present invention provides a low or short delay method/apparatus for the key management and security association re-establishment during a WLAN communication handover, wherein there is no need to modify the end-to-end security association during handover (e.g. IPsec payload connections between the mobile terminal and a server), and wherein the handover affects only the security functions between the mobile terminal and the new and old APs.
SUMMARY OF THE INVENTION
This invention relates to radio communications, to the IEEE 802.11 2.4 GHz WLAN standard, to high performance radio local area networks (HIPERLANs), to the ETSI HIPERLAN type 2 standard, and to IPSEC level security association between a wireless terminal and network elements. The invention finds utility in any IP based wireless network, examples of which include ETSI BRAN and IEEE 802.11. In addition the invention finds utility when a mobile terminal moves between two IPSEC router entities where a wireless terminal communicates witll an endpoint that is not a wireless access point.
The present invention provides an efficient method/apparatus for re-establishing an existing security association when a handover event occurs in a radio communications system such as an IEEE 802.11 or a HIPERLAN.
Operation of this invention increases handover performance, and minimizes the delay that is associated with re-negotiating an security association between a new AP and a mobile terminal.
The invention provides an efficient way to maintain an establislied security association between a mobile terminal and the wireless communication network when a handover occurs within the network. An example of the utility of the invention is a WLAN having Internet Protocol Security (IPsec) based security association between the APs and the nlobile terminals that are within the WLAN. However, the invention also finds utility for maintaining any type of dynamic security association, such as HIPERLAN/2 radio level security functions.
In accordance with the invention, authentication of a mobile terminal during a handover event is achieved by a challenge/response procedure. In accordance with this challenge/response procedure the new AP sends a challenge to the mobile terminal, whereupon the mobile terminal (MT) responds by sending a response to the new AP.
An authentication key for both ends of the communication pair that is made up of a mobile terminal and an AP is originally generated by a scaleable key management protocol, for example Internet Key Exchange (1KE). Security associations are transferred between the various APs that are within the wireless communication system in order to avoid the need for a new and different key exchange during each handover.
The keys and their related information are requested by a new AP during a handover process, and the keys and other information are transferred from the old AP to the new AP in one or more handover messages that pass between the old AP
and the new AP. The exchange of authentication challenges and the responses
A network handover is carried out when a mobile terminal moves from one access point to another access point. Since the mobile terminal leaves the serving area of a radio control link (RLC) instance, a network handover involves the convergence layer (CL) and the HL (as may be needed), as well as DLCI. To maintain HL association and connections, specific signaling via the backbone may be needed. When the mobile terminal detects the need for handover to another (target) access point, the mobile terminal may still be synchronized to the current access point. In this case, the mobile terminal may notify the current access point that it will perform a handover to another access point. The notified access point shall then stop transmitting to that mobile terminal, but shall maintain association for a specified time, when indicated.
Forced handover gives a current access point the opportunity to order a certain mobile terminal to leave the current access point's cell. A forced handover is initiated by the access point sending a Force_Handover signal to the mobile terminal. In one procedure the mobile terminal performs a normal handover and leaves its old cell, regardless of whether it finds a new cell.
In a second procedure the mobile tei-minal llas the opportunity to come back to the old access point if handover fails.
For further discussion of HIPLERLAN/2 features see the Broadband Radio Access Networks (BRAN); HIPERLAN type 2 Functional Specification;
Radio Link Control (RLC) that are provided by the ETSI standardization organization.
Several types of wireless communication systems have been inlplemented.
and others have been proposed, to enconipass limited geographic areas, for example a limited area that is encompassed by a building or by an office workplace within a building. Wireless communication systems such as microcellular networks, private networks, and WLANs are exemplary of such systems.
Wireless communication systems are typically constructed pursuant to standards that are promulgated by a regulatory or a quasi-regulatory body.
For instance, the IEEE 802.11 standard promulgated by the IEEE (Institute of Electrical and Electronic Engineering) is a wireless local area network (LAN) standard pertaining generally to the commercial 2.4 GHz wireless LAN. The 802.11 standard specifies an interface between a wireless terminal and a base station or access point, as well as amonr wireless terminals. Standards - pertaining to a physical layer and a media access control (MAC) layer are set forth in such a standard. This standard permits automatic medium sharing between different devices that include compatible physical layers.
Asynchronous data transfer is provided for in the standard, generally by way of the MAC layer, utilizing a carrier sense multiple access with collision avoidance (CSMA/CA) communication scheme.
While the IEEE 802.11 standard provides for wireless communications through the use of mobile terminals that are constructed to be mutually operable pursuant to such a standard, the standard does not adequately provide for real time wireless services. For instance. in an implementation of the standard a significant loss of quality is sonietimes experienced dttrin"
handover of communications from one AP to another AP. Excessive numbers of data frames are susceptible to being lost or delayed. resulting in the loss of' communication quality, or even termination ot' communications.
Operational modes different than that set f'orth in the IEEE 802.1 1 standard are therefore required, particularly for real time wireless services.
Proprietary functions have been proposed which permit improved quality of' comnlunications as compared to operation pursuant to the existing IEEE
802.11 standard. APs and mobile terminals that are operable to perform such proprietary functions are referred to as being proprietary mode capable.
However, both ends of a communication pair. consisting of a mobile terminal and the AP through which the mobile terminal comniunicates, must be capable of operation in the proprietary niode. I f both ends of the communication pair are not together operable pursuant to the proprietary mode, conventional operation pursuant to the IEEE 802.11 standard is required. Therefore, prior to permitting both ends of the communication pair to operate in the proprietary mode, a determination must be made of the ability of both ends of the communication pair together to be operable pursuant to the proprietary mode.
An apparatus has been considered that is operable to identify whether both ends of the communication pair are together operable in the proprietary mode, the apparatus operating to activate both ends of the communication pair to operate in the 15 proprietary mode when it is determined that pair-compatibility exits, and the apparatus thereafter operating to maintain the proprietary mode operation during handover procedures should a mobile terminal physically move from a cell that is serviced by a first AP to a cell that is served by a second AP.
In addition to the valuable features that are provided by the apparatus, it would be desirable to re-establish a security association as such an AP-to-AP
handover occurs.
~ Manv customers, and particularly business znvironments, require a high deuree of data security, and this data security cannot be compromised by use of a WLAN installation. Since access to the WLAN cannot be restricted physically, it is customary to use crytographical methods to protect transmitted data and network elenients. Current IEEE 802.11 and ITEF
Internet standards offer two complenlentarv mechanisms lor providing secure data communications over a wireless link. i.e. lnternet Protocol Security (IPSEC). IPSEC is an IP-based security protocol that provides FOR secure communication between two IP hosts. A common use ot'the IPSEC protocol is in the building of Virtual Private Networks (VPNs).
In WLAN systems the IPsec protocol can be used to provide end-to-end security for data packets, this security being provided by authenticatinn, and/or encrypting the transmitted data packets. IPsec uses symmetric cryptography that requires use of the same encr,yption aiid/or authentication key at both ends of a communication link. Sealable key management protocols such as IKE can be used to ~enerate the symmetric keys for an IPsec stack.
While the Internet Key Exchange (IKE) kev manacement protocol is useful for the establishment of an IP level security association durinu an initial mobile-terminal/access-point association. when the need for a comniunication handover occurs, the use of IKE or other similar pi=otocois inflicts a considerable time delay on accomplishing the handover since stich protocols require the exchange of multiple messages, and their use of public key encryption requires very heavy coniputation. Since a liandover of the payload traffic can be resumed only after an active security association has been established between the new-AP and the mobile terminal, the use of the IKE
key management protocol or other such protocols presents problems during the handover.
When any security protocol with a dynanlic encryption key, i.e. a session-dependent dynamic key, is applied between a mobile terminal and an AP, it is desirable to find a mechanism for the transfer of an active security association from one AP to another AP, as the mobile terniinal moves within the coverage that is provided by the wireless radio network or system.
It is in light of this background information that the present invention provides a low or short delay method/apparatus for the key management and security association re-establishment during a WLAN communication handover, wherein there is no need to modify the end-to-end security association during handover (e.g. IPsec payload connections between the mobile terminal and a server), and wherein the handover affects only the security functions between the mobile terminal and the new and old APs.
SUMMARY OF THE INVENTION
This invention relates to radio communications, to the IEEE 802.11 2.4 GHz WLAN standard, to high performance radio local area networks (HIPERLANs), to the ETSI HIPERLAN type 2 standard, and to IPSEC level security association between a wireless terminal and network elements. The invention finds utility in any IP based wireless network, examples of which include ETSI BRAN and IEEE 802.11. In addition the invention finds utility when a mobile terminal moves between two IPSEC router entities where a wireless terminal communicates witll an endpoint that is not a wireless access point.
The present invention provides an efficient method/apparatus for re-establishing an existing security association when a handover event occurs in a radio communications system such as an IEEE 802.11 or a HIPERLAN.
Operation of this invention increases handover performance, and minimizes the delay that is associated with re-negotiating an security association between a new AP and a mobile terminal.
The invention provides an efficient way to maintain an establislied security association between a mobile terminal and the wireless communication network when a handover occurs within the network. An example of the utility of the invention is a WLAN having Internet Protocol Security (IPsec) based security association between the APs and the nlobile terminals that are within the WLAN. However, the invention also finds utility for maintaining any type of dynamic security association, such as HIPERLAN/2 radio level security functions.
In accordance with the invention, authentication of a mobile terminal during a handover event is achieved by a challenge/response procedure. In accordance with this challenge/response procedure the new AP sends a challenge to the mobile terminal, whereupon the mobile terminal (MT) responds by sending a response to the new AP.
An authentication key for both ends of the communication pair that is made up of a mobile terminal and an AP is originally generated by a scaleable key management protocol, for example Internet Key Exchange (1KE). Security associations are transferred between the various APs that are within the wireless communication system in order to avoid the need for a new and different key exchange during each handover.
The keys and their related information are requested by a new AP during a handover process, and the keys and other information are transferred from the old AP to the new AP in one or more handover messages that pass between the old AP
and the new AP. The exchange of authentication challenges and the responses
5 thereto are integrated into handover signaling that occurs between the new AP and the mobile terminal that is involved in the handover.
In accordance with a feature of the invention, the messages are medium access control (MAC) messages.
It is to be noted that this invention's feature of providing access point authentication is a desirable but an optional feature.
While a secure connection is preferred between access points, such a feature is not required by the spirit and scope of the invention.
Accordingly, in one aspect of the present invention there is provided in a communication system having a plurality of access-points, each access-point serving a different geographic area within an overall geographic area that is served by said communication system, said communication system further having a plurality of mobile-terminals that are each physically moveable within said overall geographic area and between said different geographic areas, a method of providing information security when communication with a given mobile-terminal is handed-over from a first access-point to a second access-point, comprising the steps of:
sensing when said given mobile-terminal moves from a communication-influence with said first access-point into a communication-influence with said second access-point;
10a responding to said sensing step by retrieving security-association-parameters from said first access-point, by creating a security association at said second access-point in accordance with said retrieved security-association-parameters, and by creating a security association at said given mobile-terminal in accordance with said retrieved security-association-parameters;
responding to said sensing step by sending an authenticate-access-point-challenge from said given mobile-terminal to said second access-point, and by sending an authenticate-mobile-terminal-challenge from said second access-point to said given mobile-terminal;
generating an authenticate-access-point-response at said second access-point in response to said authenticate-access-point-challenge received from said given mobile-terminal;
sending said authenticate-access-point-response to said given mobile-terminal;
generating an authenticate-mobile-terminal-response at said given mobile-terminal in response to said authenticate-mobile-terminal-challenge received from said second access-point;
sending said authenticate-mobile-terminal-response to said second access-point;
first-comparing said authenticate-access-point-response to a correct response at said given mobile-terminal; and second-comparing said authenticate-mobile-terminal-response to a correct response at said second access-point.
According to another aspect of the present invention there is provided an apparatus for maintaining a given security-association in a radio communications system when a communication-handover occurs as a mobile-terminal physically moves from a first geographic area that is served by a first communication-access-point to lOb a second geographic area that is served by a second communication-access-point, said mobile-terminal initially forming a first communication-pair with said first communication-access-point, and after said communication-handover, said mobile-terminal forming a second communication-pair with said second communication-access-point, each member of said first communication-pair having said given security-association associated therewith, the apparatus comprising:
first means at said mobile-terminal for sensing a need to initiate said communication-handover;
second means within said radio communications system and responsive to said first means sensing said need to initiate said communication-handover for establishing said given, security-association at said second communication-access-point;
third means at said mobile-terminal for generating an access-point-challenge as a function of said given security-association, and for sending said access-point-challenge to said second communication-access-point;
fourth means at said second communication-access-point for generating a mobile-terminal-challenge as a function of said given security-association established at said second communication-access-point, and for sending said mobile-terminal-challenge to said mobile-terminal;
fifth means at said mobile-terminal and responsive to said mobile-terminal-challenge for generating a mobile-terminal-response as a function of said given security-association, and for sending said mobile-terminal-response to said second communication-access-point;
sixth means at said second communication-access-point and responsive to said access-point-challenge for generating an access-point-response as a function of said given security-association established at said second communication-access-point, and for sending said access-point-response to said mobile-terminal;
lOc seventh means at said mobile-terminal and responsive to said access-point-response for determining if said access-point-response is correct as a function of said given security-association;
eighth means at said second communication-access-point and responsive to said mobile-terminal-response for determining if said mobile-terminal-response is correct as a function of said given security-association established at said second communication-access-point; and ninth means within said radio communications system and responsive to said eighth and ninth means for establishing said communication-handover when both said mobile-terminal-response and said access-point-response are correct.
These and other features and advantages of the invention will be apparent to those of skill in the art upon reference to the following detailed description of the invention, which description makes reference to the drawing.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. I is a showing of a communication system in which an embodiment of the present invention is operable.
FIG. 2 is a showing of a forward handover process in accordance with the invention.
FIG. 3 is a showing of a backward handover process in accordance with the invention.
FIGS. 4A-4C provide another showing of the forward handover process of FIG. 2.
FIGS 5A-5C provide another showing of the backNvard handover process of FIG. 3.
FIG. 6 is a showing of a HIPERLAN/2 forced handover in accordance with the invention.
FIG. 7 is a showing of a HIPERLAN/2 forward handover in accordance with the invention.
DETAILED DESCRIPTION OF THE INVENTION
FIG. 1 is an example of a communication system that provides for radio communications with and between a plurality of mobile terminals, of which mobile terminal 12 is an example. In another example, an access point covers the radio interface and fixed network bridge, with the access points connected to the fixed network, this example not requiring the CCU shown in FIG. 1.
Communication system 10 forms a WLAN that provides radio communications with a plurality of mobile terminals 12 as set forth in the IEEE 802.11 standard, as well as, potentially, pursuant to a proprietary mode of operation, as is described in the above mentioned copending patent application. Other communication systems are analogous, and operation of the present invention is also operable in such other communication systems.
WLAN 10 includes a plurality of spaced-apai-t APs 14 and 114 that are individually located at two spaced-apart geographic locations. While only two APs 14,114 shown, in actual practice a greater number of APs are utilized. APs 14,114 are sometimes referred to as base stations or remote antenna devices (RADs). The term "access point", "AP", or "ap" shall generally be used herein to identify devices that form points of access to the network infrastructure of communication systeni 10. The term "mobile terminal", "MT" oi- "nIt" shall generally be used to identify devices that fornl points of access to access points.
Each of the APs 14,114 includes radio transceiver circuitry 16 that is capable of transceiving radio communication signals with mobile terminals 12 when the mobile terminals are positioned within comn7unication range of a particular AP. Generally, a mobile terminal 12 communicates with an AP
14,114 when the mobile terminal is positioned within ageographic area or cell 18,118 that is proximate to and defined by a given access point. In FIG.
1, cell 18 is associated with access point 14, mobile terminal 12 resides within cell 18, and cell 118 is associated with access point 114. Note that mode selector 34 is included only when an implementation of the invention uses proprietary radio link level messages, this not being a required implementation of the invention.
Access points 14,114 are coupled to a central control unit (CCU) 22. CCU 22 is typically a hub or an IP router. CCU 22 provides for connections to an external communication network backbone 24. Although not shown, other communication devices, such as other commtuiication stations and other communication networks are typically coupled to communication network backbone 24. In this way, a communication pat11 can be formed to provide for communications between a mobile terminal 12 and communication stations that are coupled, either directly or indirectly, to comiiiunication network backbone 24. Also, local communication between the plurality of mobile terminals 12 is permitted. In a communication between pairs of mobile terminals 12, the communication path formed tllerebetween includes two separate radio-links.
APs 14,114 include control elements 28 that perform various control functions related to operation of the respective APs. In FIG. 1 control elements 28 are each shown to include a comparator 32, a mode selector 34, and a handover availability determiner 36, which control elements are functional and are implemented in any desired manner, such as, for example, algorithms that are executable by processing circuitry. In another implementation, the functions that are performed by such elements are located elsewhere, such as at mobile terminals 12 as indicated by block 28', or at CCU 22 as indicated by block 28". Thus, the functions performed by the control elements can be distributed amongst several different devices.
Note that in accordance with the invention, comparator 32 includes security functions, and blocks 28 include medium access control (MAC) functions.
In the construction and arrangement of FIG. 1, and as taught by the above mentioned copending patent application, a communication pair that consists of an AP 14,114 and a mobile terminal 12 are operable pursuant to a IEEE
802.11 standard-mode when it is determined that the communication pair are not both proprietary-mode compatible, or they are opei-able pursuant to the proprietary-mode when it is determine that both members of the communication pair are proprietary-mode capable. In order to produce this result, a comparator 32 receives identifiers that identify the operable-mode of both the mobile terminal and the access point that form a communication pair.
A mode selector 34 then selects the standard-mode of operation or the proprietary-mode of operation for communication between the mobile terminal and the access point.
As the physical position of a mobile terminal 12 changes from cell 18 to cell 118 during a given communication session, mobile terminal 12 leaves a first geographic area 18 that is serviced by AP 14, and then enter a second geographic area 118 that is serviced by AP 114. This cell-to-cell or area-to-area movement requires a handover of cominunications from the old-AP 14 that is associated with the first area 18 to the new-AP 114 that is associated with the second area 118, thus permitting continued communication with mobile terminal 12.
Handover availability determiner 36 provides indications to mobile terminal 12 of the available APs to which a handover of conlmunications is possible, this availability being contained in an available access point list 38 that contains the identities of the APs that ai-e available for the handover of communications.
Available access point list 38 can be communicated to the mobile terminals 12 at selected time intervals, or access point list 38 can be provided to each mobile terminal 12 when the mobile terminal is initially activated, or a network prefix or list of network prefixes can be used to provide the same goal.
In this explanation of the invention it will be assumed that a security association (SA) exists between mobile terminal 12 and the current or old-AP 14. That is, it will be assumed that nlobile tei-minal 12 and AP 14 share the same common set of keys and other information that is necessary to achieve the security function(s). In accordance with the invention, this established and shared security association is transferred from old-AP 14 to new-AP 114, in a secure fashion, as nlobile terminal moves from cell 18 to cell 118. This transfer is made in a very fast nlanner by minimizing the number of message that are needed to effect the transfer, and by eliminating the use of public key encryption. As a result, the interruption of a payload traffic transfer to and from mobile terminal 12 is minimized, any interruption of this type being very important for real-time services such as Voice over IP
(VOIP) and video distribution.
In accordance with the invention, an authentication key or security 5 association for both ends of the communication link (i.e. the link that involves mobile terminal 12 and AP 14) is generated by a sealable key management protocol, such as IKE, it being noted that Diffie-Hellman key exchange protocol can also be utilized.
10 Later, when mobile terminal 12 moves froni cell 18 and its AP 14 to cell and its AP 114, authentication during the handover process is achieved by the invention's simple challenge/response procedure. Also, security associations are transferred between old-AP 14 and new-AP 114, thus avoiding the need for a new key exchange during a handover from old-AP 14 to new-AP 114.
During the challenge/response procedure, new-AP 118 sends a challenge to mobile terminal 12, whereupon mobile terminal 12 sends a response to new-AP 118. In addition, mobile terminal 12 authenticates new-AP 118 in a similar manner during the handover.
The keys and related information are requested by new-AP 114, whereupon they are transferred from old-AP 14 to new-AP 114 in handover messages.
Similarly, the exchange of the authentication challenges and the responses thereto are integrated into the handover signaling that occurs between new-AP
114 and mobile terminal 12.
FIG. 2 shows a forward handover (HO) process 20 in accordance with the invention, this being a preferred embodiment of the invention. In forward handover process 20 the handover signaling is sent between mobile terminal 09-10-2001 I B000171:
(MT or rnt)'snd new-access point (AP or ap) 114. This type ofhandover is especially useful whcn radio link 21 is lost without prior waming.
FIG 3 shows a backward handover (HO) process 30 in accordance with the invention.
In backward handover process 30 handover is requested by mobile termina112 communication with old-AP 14, this resulting in a somewhat different message sequence than is shown in FIG. 2. During a backward handover a beneficial opdon is to use the radio interface message 31 that carries the authentication challenge from old-AP 14 to mobile tenninal 12 to also trigger backward handover 33. That is, authentication challenge 31 is used to indicate to mobile termina112 that it should disconnect from old-AP 14 and connect to new-AP 114 whereat a security association (SA) 35 has already been prepared for mobile teruina112.
As used herein, the terrn "old-AP" means ran access point such as access point 14 with which mobile terniina112 is originally or currently communicating. Thus, the term "old-AP" also means a "current-AP" with which mobile termi.pa112 is communicating at a time that a communication handover is required.
As used herein, the term "new-AP" means an access point such as access point with which mobile ternuna112 must begin communicating because the mobile terminal has geographically moved from an old ce1118 to a ncw cc11118. Thus, the term "new-AP" also means a"future-AP" with which mobile terminal 12 will communicate after a communication handover has been completed.
In FIGS. 2 and 3 IEEE 802.11 message names are used, and additional parameters of the handover messages are shown. However, this naming of the messages is not ' critical to the scope of this invention since the AMENDED SHEET
Emvfanvs~eit 4.f)kt. J1:~0 invention can be accomplished in other systems than IEEE 802.11. The use of extended MAC (medium access conti-ol) messages in FIGS 2 and 3 to carrv the additional paranleters over the radio interfaces is hoxvever beneficial in that the need to send additional messages is a\'oided.
In order to guarantee security, it is desirable that inessages that cari-y the keys be ciphered. Therefore, the transfer of securitv association or SA and othei-control traffic between APs 14,114 is shown as being encrypted and authenticated by IPsec.
The specific means whereby it is determined that mobile terminal 12 has physically moved relative to cells 18,118, suc11 that handover is required, is not critical to the present invention. For example, the procedure can be analogous to that used in conventional tinie-division cellular systems that use mobile assisted handover procedures. In general, nlobile terminal 12 tunes to control channels of the base stations or APs of adjacent cells such as cells 18,118, for example at timed intervals. The signal strength, or some other signal characteristic such as bit error rate, of the signals that are broadcast on these control channels are then measures oi- sensed by mobile terminal 12.
Uplink signals that are based upon this measurement at mobile terminal 12 ai-e then sent by the mobile terminal to network 10, whereupon netNN-ork 10 determines whether a communication handover should be effected. When it is determined that handover is required, instructions are sent to mobile terminal 12, and the communication handover process of FIG. 2 or FIG. 3 begins.
FIGS. 4A-4C provide another showing of forward handover process 20 wherein communication handover of nlobile tei-minal 12 is provided relative to old-AP 14 and new-AP 114 as nlobile terminal nioves from cell 18 to cell 118. In this figure a mobile terminal or MT is also referred to using the term "mt", and an access point or AP is also referred to using the term "ap".
With reference to FIG. 4A, forwai-d handover process 20 is initiated at mobile terminal 12 by the yes output 400 of eve t 401 indicating that handover is required. Mobile terminal 12 now operates at function 402 to activate its radio handover function.
At function 403 mobile terminal 12 generates a challenge to new-AP 114, whereupon at function 404 a MAC_REASSOCIATE_REQ message that contains "nlt_challenge" is sent to new-AY 1 14.
At function 405, new-AP 114 accepts message 404, whereupon new-AI' 114 operates at function 406 to send a handover request to old-AP 14.
Old-AP 14 now operates at funetion 407 to retrieve security association parameters SA,SA from its security association database. Old-AP 14 then operates at function 408 to send a handover request that contains the parameters SA,SA to new-AP 114.
With reference to FIG. 4B, new-AP 1 14 now operates at function 409 to create a security association (SA), opei-ates at function 410 to generate a challenge to authenticate mobile terminal 12, operates at function 411 to calculate a response to the "mt_challenge" that was contained in FIG. 4A's message 404, and operates at function 412 to send a^
MAC_AUTHENTICATE_REQ message to iiiobile terminal 12. Message 412 contains the "ap_response" that was calculated by operation of function 411.
contains the "ap_challenge" that was generated by operation of function 410, and contains "other information".
Mobile terminal 12 now operates at function 413 to update its security association parameters, operates at function 414 to calculate a response to the "ap_challenge" that was received by way of inessa(-,e 412, and operates at function 415 to compare the "ap_response" that was received bv way of message 412 to the correct oi- expected response.
When the comparison performed by function 415 pi-oduces a correct conlpare, function 416 operates to authenticate new-AP 114, whereupon ffiulction 417 operates to send a MAC_AUTHENTICATE_RESP message to new-AP 114, this message containing the "int_response" that was calculated at ffimction 414.
With reference now to FIG. 4C, at function 418 ne\N-AP 114 operates to compare the "mt_response" that it received by way of inessage 417 to the proper or correct response, and when this comparison produces the correct compare, function 419 operates to authenticate niobile tern7inal 12. New-AP
114 then operates at function 420 to send a MAC_REASSOCIATE_RESP
message to mobile terminal 12, whereupon handover is completed and mobile terminal 12 thereafter operates at function 421 to resume its payload traffic using new-AP 114.
FIGS 5A-5C provide another showing of backward handover process 30 wherein communication handover is provided i'or niobile ternlinal 12 relative to old-AP 14 and new-AP 114. In this figui-e a mobile tei-minal or MT is also referred to using the term "mt", and an access point or AP is also referred to using the term "ap".
Witll reference to FIG. 5A, backward handover process 30 is initiated at mobile terminal 12 by the yes output 500 of event 501 indicating that handover is required. Mobile terminal 12 now operates at function 502 to send a handover request to old-AP 14.
When messaue 502 is received at old-AP 14. function 503) accepts thr messa-e, t'unction 504 operates io rrtriex-c ,rcurity association parameters SA.SA from its securivv association is:\ idata haac. and I'uuction SU5 operates tn send a handover request that contains lhe parameters SA.SA to nexv-AP
5 114.
Usin~~ the parameters SA.SA that were received in message 505. new-AP 114 noxv operates at funetion 506 to create its o\%*n securitV assuciation (SA).
New-AP 114 then operates at function 507 tu generate a challenue to 10 authenticate mobile terminal 12. and at f11nction 506 a handover request is sent to old-AP 14. this request 50 incluLlinLI the "ap_chalirn~~e" that was L,enerated at function 507, and "other informution".
With reference now to FIG. 5B, in response to message 508, old-AP 14 15 operates at function 509 to send a MAC_DISASSOCIATE message to mobile terminal 12, this message containing the "ap_challenge" and the "other information" that was old-AP 14 received from new-AP 114 by way of messa-e 508.
20 In response to messaUe 509, mobilz termitwl 12 activates its radio handover function at 510. At function 511 mobile terminal 12 now updates its securitv association parameters, at f'unction 512 mobile terniinal 12 operates to calculate a response to the "ap_challenue" portion of niessages 508 and 509.
at function 513 mobile terminal 12 operates to generate a challenge to authenticate new-AP 114. and at f'tunctiun 5 14 mubile terminLtl 12 ,end a MAC_REASSOCIATE_REQ messa,_e lo ncw-Al' 114. Message 514 contains the "mt_response" that was calculated at funclion 512. tlte "mt_challen2e"
that was generated at function 513. and -other information".
With reference now to FIG. 5C, functiou 515 provides authentication of mobile terminal 12, function 516 compares the "n-it_response" that was received by way of n7essage 513 to the correct or expected response, function 517 calculates a response to the "nit_challenue" that Nvas received by Nvay of message 513, and function 518 operates to send a MACREASSOCIATERESP ENH message to mobile terminal 12, inessage 518 containing the "ap_response" that was calculated by finzction 517.
At function 5 1 9 mobile terminal 1 2 opel-ates to authenticate ne~v-AP 1 14 by comparing at function 520 the "ap_response" contained in message 518 with the correct or expected response, and as a result of this cori-ect conlparison, function 521 causes n7obile terminal 12 to i-esume payload traffic using new-AP 114.
From the above it can be seen that the present invention provides a method/apparatus the provides for information security when communication with a given mobile-terminal 12 is handed-over from a first access-point 14 to a second access-point 114. A con7munication system 10 is provided having a plurality of access-points, each access point serving a different geographic area that is within an overall geocraphic area that is served by conlmunication systenl 10, and a plurality of rnobile-tei-minals 12 ai-e provided wlierein the mobile-tern7inals are individually physically moveable witllin the overall geographic area and between the different geographic areas.
In the handover process/apparatus of the invention, first it is sensed wlhen a given mobile-terminal 12 nioves froni a communication-influence with a first access-point 14 into a coniniunication-influence with a second access-point 114 (see 401 of FIG. 4A and 501 of FIG. 5A).
When such a move is sensed. securit~?-association-parameters are i'etched !'rom first access-point 14 (see 407 ui'1716. -lA and 504 c,l'1=1C_;. 5A). a sccurit\=
association is created at seeond access point 114 in accordance with thr retrieved security-association-parameters i ser 401) of' I-IG. 4B and 506 o1' FIIi.
5A). and a security association created at `_iven mobile-terminal 12 in accordance with the retrieved security-association-parameters (see 413 of FIG. 4B and 511 of FIG. 5B).
Also. when such a move is sensed. an authenticcue-a,:cess-puint-challen_e is sent from given niobile-terniinal 12 to the strond access-point 114 (see 404 ot' FIG. 4A and 514 of FIG. 5B), and an authenticate-mobile-terniinal-challen,~e is sent froni second access-point 114 to given mobile-terminal 12 (see 412 ot' FIG. 4B and 508 of FIG. 5A). Note that the above described access-point-challenge is an optional feature of' the invention.
In response to the authenticate-access-point-challenge that is received from tiven mobile-terminal 12, second access-point 114 now generates an authenticate-access-point-response (see 411 of FIG. 4B and 517 of FIG. 5C), and this authenticate-access-point-response is sent to given mobile terminal 12 (see 412 of FIG. 4B and 518 of' FIG. 5C ).
In response to the authenticate-mobile-terminal-challen,,e that is received ,liven mobile-ternlinal 121 now calculates an from second access-point 114, authenticate-mobile-terminal-response Iser -114 of' Flv. 4B and 512 of FIG.
5B). and tliis authenticate-mobile-terminal-respunse is sent to second access-point 114 (see =117 of FIG. 4B and 514 of' FIG. >B).
A first-compare at given mobile-terminal 11- now operates to conipare the authenticate-access-point-response that is received from second access-point 114 to a correct or an expected response (see 415 of FIG. 4B and 520 of FIG.
5C), and a second-compare at second, access-point 114 now operates to compare the authenticate-mobile-terminal-response that is received from given mobile-terminal 12 to a correct or an expected response (see 418 of FIG 4C and 516 ofFiG. SC).
Finally, communicatioll is initiated between given mobile-terminal 12 and second access-point 114 based upon the outcome of the first-compare and the second-compare (see 421 of F1G, 4C and 521 of FIG. SC).
FIGS. 6 and 7 show two additional embodiments of the invention. While the specific details of the FIGS. 6 and 7 embodiments differ in the specific details thereof, the content of the FIGS. 6 and 7 embodimenss wiA be readily apparent by way of a comparison to the above-described FIG. 2, 3, 4A-4C, and 5A-5C, embodiments of the invention.
While the invention has been described in detail while making reference to prefened embodiments thereof, no part of this detailed description is not to be taken as a limitation on the spirit and scope of the invention, since it is known that others skilled in this art will readily visualize yet other embodiments that are within the scope of this invention once the invention is generally known as defined by the appended claims.
In accordance with a feature of the invention, the messages are medium access control (MAC) messages.
It is to be noted that this invention's feature of providing access point authentication is a desirable but an optional feature.
While a secure connection is preferred between access points, such a feature is not required by the spirit and scope of the invention.
Accordingly, in one aspect of the present invention there is provided in a communication system having a plurality of access-points, each access-point serving a different geographic area within an overall geographic area that is served by said communication system, said communication system further having a plurality of mobile-terminals that are each physically moveable within said overall geographic area and between said different geographic areas, a method of providing information security when communication with a given mobile-terminal is handed-over from a first access-point to a second access-point, comprising the steps of:
sensing when said given mobile-terminal moves from a communication-influence with said first access-point into a communication-influence with said second access-point;
10a responding to said sensing step by retrieving security-association-parameters from said first access-point, by creating a security association at said second access-point in accordance with said retrieved security-association-parameters, and by creating a security association at said given mobile-terminal in accordance with said retrieved security-association-parameters;
responding to said sensing step by sending an authenticate-access-point-challenge from said given mobile-terminal to said second access-point, and by sending an authenticate-mobile-terminal-challenge from said second access-point to said given mobile-terminal;
generating an authenticate-access-point-response at said second access-point in response to said authenticate-access-point-challenge received from said given mobile-terminal;
sending said authenticate-access-point-response to said given mobile-terminal;
generating an authenticate-mobile-terminal-response at said given mobile-terminal in response to said authenticate-mobile-terminal-challenge received from said second access-point;
sending said authenticate-mobile-terminal-response to said second access-point;
first-comparing said authenticate-access-point-response to a correct response at said given mobile-terminal; and second-comparing said authenticate-mobile-terminal-response to a correct response at said second access-point.
According to another aspect of the present invention there is provided an apparatus for maintaining a given security-association in a radio communications system when a communication-handover occurs as a mobile-terminal physically moves from a first geographic area that is served by a first communication-access-point to lOb a second geographic area that is served by a second communication-access-point, said mobile-terminal initially forming a first communication-pair with said first communication-access-point, and after said communication-handover, said mobile-terminal forming a second communication-pair with said second communication-access-point, each member of said first communication-pair having said given security-association associated therewith, the apparatus comprising:
first means at said mobile-terminal for sensing a need to initiate said communication-handover;
second means within said radio communications system and responsive to said first means sensing said need to initiate said communication-handover for establishing said given, security-association at said second communication-access-point;
third means at said mobile-terminal for generating an access-point-challenge as a function of said given security-association, and for sending said access-point-challenge to said second communication-access-point;
fourth means at said second communication-access-point for generating a mobile-terminal-challenge as a function of said given security-association established at said second communication-access-point, and for sending said mobile-terminal-challenge to said mobile-terminal;
fifth means at said mobile-terminal and responsive to said mobile-terminal-challenge for generating a mobile-terminal-response as a function of said given security-association, and for sending said mobile-terminal-response to said second communication-access-point;
sixth means at said second communication-access-point and responsive to said access-point-challenge for generating an access-point-response as a function of said given security-association established at said second communication-access-point, and for sending said access-point-response to said mobile-terminal;
lOc seventh means at said mobile-terminal and responsive to said access-point-response for determining if said access-point-response is correct as a function of said given security-association;
eighth means at said second communication-access-point and responsive to said mobile-terminal-response for determining if said mobile-terminal-response is correct as a function of said given security-association established at said second communication-access-point; and ninth means within said radio communications system and responsive to said eighth and ninth means for establishing said communication-handover when both said mobile-terminal-response and said access-point-response are correct.
These and other features and advantages of the invention will be apparent to those of skill in the art upon reference to the following detailed description of the invention, which description makes reference to the drawing.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. I is a showing of a communication system in which an embodiment of the present invention is operable.
FIG. 2 is a showing of a forward handover process in accordance with the invention.
FIG. 3 is a showing of a backward handover process in accordance with the invention.
FIGS. 4A-4C provide another showing of the forward handover process of FIG. 2.
FIGS 5A-5C provide another showing of the backNvard handover process of FIG. 3.
FIG. 6 is a showing of a HIPERLAN/2 forced handover in accordance with the invention.
FIG. 7 is a showing of a HIPERLAN/2 forward handover in accordance with the invention.
DETAILED DESCRIPTION OF THE INVENTION
FIG. 1 is an example of a communication system that provides for radio communications with and between a plurality of mobile terminals, of which mobile terminal 12 is an example. In another example, an access point covers the radio interface and fixed network bridge, with the access points connected to the fixed network, this example not requiring the CCU shown in FIG. 1.
Communication system 10 forms a WLAN that provides radio communications with a plurality of mobile terminals 12 as set forth in the IEEE 802.11 standard, as well as, potentially, pursuant to a proprietary mode of operation, as is described in the above mentioned copending patent application. Other communication systems are analogous, and operation of the present invention is also operable in such other communication systems.
WLAN 10 includes a plurality of spaced-apai-t APs 14 and 114 that are individually located at two spaced-apart geographic locations. While only two APs 14,114 shown, in actual practice a greater number of APs are utilized. APs 14,114 are sometimes referred to as base stations or remote antenna devices (RADs). The term "access point", "AP", or "ap" shall generally be used herein to identify devices that form points of access to the network infrastructure of communication systeni 10. The term "mobile terminal", "MT" oi- "nIt" shall generally be used to identify devices that fornl points of access to access points.
Each of the APs 14,114 includes radio transceiver circuitry 16 that is capable of transceiving radio communication signals with mobile terminals 12 when the mobile terminals are positioned within comn7unication range of a particular AP. Generally, a mobile terminal 12 communicates with an AP
14,114 when the mobile terminal is positioned within ageographic area or cell 18,118 that is proximate to and defined by a given access point. In FIG.
1, cell 18 is associated with access point 14, mobile terminal 12 resides within cell 18, and cell 118 is associated with access point 114. Note that mode selector 34 is included only when an implementation of the invention uses proprietary radio link level messages, this not being a required implementation of the invention.
Access points 14,114 are coupled to a central control unit (CCU) 22. CCU 22 is typically a hub or an IP router. CCU 22 provides for connections to an external communication network backbone 24. Although not shown, other communication devices, such as other commtuiication stations and other communication networks are typically coupled to communication network backbone 24. In this way, a communication pat11 can be formed to provide for communications between a mobile terminal 12 and communication stations that are coupled, either directly or indirectly, to comiiiunication network backbone 24. Also, local communication between the plurality of mobile terminals 12 is permitted. In a communication between pairs of mobile terminals 12, the communication path formed tllerebetween includes two separate radio-links.
APs 14,114 include control elements 28 that perform various control functions related to operation of the respective APs. In FIG. 1 control elements 28 are each shown to include a comparator 32, a mode selector 34, and a handover availability determiner 36, which control elements are functional and are implemented in any desired manner, such as, for example, algorithms that are executable by processing circuitry. In another implementation, the functions that are performed by such elements are located elsewhere, such as at mobile terminals 12 as indicated by block 28', or at CCU 22 as indicated by block 28". Thus, the functions performed by the control elements can be distributed amongst several different devices.
Note that in accordance with the invention, comparator 32 includes security functions, and blocks 28 include medium access control (MAC) functions.
In the construction and arrangement of FIG. 1, and as taught by the above mentioned copending patent application, a communication pair that consists of an AP 14,114 and a mobile terminal 12 are operable pursuant to a IEEE
802.11 standard-mode when it is determined that the communication pair are not both proprietary-mode compatible, or they are opei-able pursuant to the proprietary-mode when it is determine that both members of the communication pair are proprietary-mode capable. In order to produce this result, a comparator 32 receives identifiers that identify the operable-mode of both the mobile terminal and the access point that form a communication pair.
A mode selector 34 then selects the standard-mode of operation or the proprietary-mode of operation for communication between the mobile terminal and the access point.
As the physical position of a mobile terminal 12 changes from cell 18 to cell 118 during a given communication session, mobile terminal 12 leaves a first geographic area 18 that is serviced by AP 14, and then enter a second geographic area 118 that is serviced by AP 114. This cell-to-cell or area-to-area movement requires a handover of cominunications from the old-AP 14 that is associated with the first area 18 to the new-AP 114 that is associated with the second area 118, thus permitting continued communication with mobile terminal 12.
Handover availability determiner 36 provides indications to mobile terminal 12 of the available APs to which a handover of conlmunications is possible, this availability being contained in an available access point list 38 that contains the identities of the APs that ai-e available for the handover of communications.
Available access point list 38 can be communicated to the mobile terminals 12 at selected time intervals, or access point list 38 can be provided to each mobile terminal 12 when the mobile terminal is initially activated, or a network prefix or list of network prefixes can be used to provide the same goal.
In this explanation of the invention it will be assumed that a security association (SA) exists between mobile terminal 12 and the current or old-AP 14. That is, it will be assumed that nlobile tei-minal 12 and AP 14 share the same common set of keys and other information that is necessary to achieve the security function(s). In accordance with the invention, this established and shared security association is transferred from old-AP 14 to new-AP 114, in a secure fashion, as nlobile terminal moves from cell 18 to cell 118. This transfer is made in a very fast nlanner by minimizing the number of message that are needed to effect the transfer, and by eliminating the use of public key encryption. As a result, the interruption of a payload traffic transfer to and from mobile terminal 12 is minimized, any interruption of this type being very important for real-time services such as Voice over IP
(VOIP) and video distribution.
In accordance with the invention, an authentication key or security 5 association for both ends of the communication link (i.e. the link that involves mobile terminal 12 and AP 14) is generated by a sealable key management protocol, such as IKE, it being noted that Diffie-Hellman key exchange protocol can also be utilized.
10 Later, when mobile terminal 12 moves froni cell 18 and its AP 14 to cell and its AP 114, authentication during the handover process is achieved by the invention's simple challenge/response procedure. Also, security associations are transferred between old-AP 14 and new-AP 114, thus avoiding the need for a new key exchange during a handover from old-AP 14 to new-AP 114.
During the challenge/response procedure, new-AP 118 sends a challenge to mobile terminal 12, whereupon mobile terminal 12 sends a response to new-AP 118. In addition, mobile terminal 12 authenticates new-AP 118 in a similar manner during the handover.
The keys and related information are requested by new-AP 114, whereupon they are transferred from old-AP 14 to new-AP 114 in handover messages.
Similarly, the exchange of the authentication challenges and the responses thereto are integrated into the handover signaling that occurs between new-AP
114 and mobile terminal 12.
FIG. 2 shows a forward handover (HO) process 20 in accordance with the invention, this being a preferred embodiment of the invention. In forward handover process 20 the handover signaling is sent between mobile terminal 09-10-2001 I B000171:
(MT or rnt)'snd new-access point (AP or ap) 114. This type ofhandover is especially useful whcn radio link 21 is lost without prior waming.
FIG 3 shows a backward handover (HO) process 30 in accordance with the invention.
In backward handover process 30 handover is requested by mobile termina112 communication with old-AP 14, this resulting in a somewhat different message sequence than is shown in FIG. 2. During a backward handover a beneficial opdon is to use the radio interface message 31 that carries the authentication challenge from old-AP 14 to mobile tenninal 12 to also trigger backward handover 33. That is, authentication challenge 31 is used to indicate to mobile termina112 that it should disconnect from old-AP 14 and connect to new-AP 114 whereat a security association (SA) 35 has already been prepared for mobile teruina112.
As used herein, the terrn "old-AP" means ran access point such as access point 14 with which mobile terniina112 is originally or currently communicating. Thus, the term "old-AP" also means a "current-AP" with which mobile termi.pa112 is communicating at a time that a communication handover is required.
As used herein, the term "new-AP" means an access point such as access point with which mobile ternuna112 must begin communicating because the mobile terminal has geographically moved from an old ce1118 to a ncw cc11118. Thus, the term "new-AP" also means a"future-AP" with which mobile terminal 12 will communicate after a communication handover has been completed.
In FIGS. 2 and 3 IEEE 802.11 message names are used, and additional parameters of the handover messages are shown. However, this naming of the messages is not ' critical to the scope of this invention since the AMENDED SHEET
Emvfanvs~eit 4.f)kt. J1:~0 invention can be accomplished in other systems than IEEE 802.11. The use of extended MAC (medium access conti-ol) messages in FIGS 2 and 3 to carrv the additional paranleters over the radio interfaces is hoxvever beneficial in that the need to send additional messages is a\'oided.
In order to guarantee security, it is desirable that inessages that cari-y the keys be ciphered. Therefore, the transfer of securitv association or SA and othei-control traffic between APs 14,114 is shown as being encrypted and authenticated by IPsec.
The specific means whereby it is determined that mobile terminal 12 has physically moved relative to cells 18,118, suc11 that handover is required, is not critical to the present invention. For example, the procedure can be analogous to that used in conventional tinie-division cellular systems that use mobile assisted handover procedures. In general, nlobile terminal 12 tunes to control channels of the base stations or APs of adjacent cells such as cells 18,118, for example at timed intervals. The signal strength, or some other signal characteristic such as bit error rate, of the signals that are broadcast on these control channels are then measures oi- sensed by mobile terminal 12.
Uplink signals that are based upon this measurement at mobile terminal 12 ai-e then sent by the mobile terminal to network 10, whereupon netNN-ork 10 determines whether a communication handover should be effected. When it is determined that handover is required, instructions are sent to mobile terminal 12, and the communication handover process of FIG. 2 or FIG. 3 begins.
FIGS. 4A-4C provide another showing of forward handover process 20 wherein communication handover of nlobile tei-minal 12 is provided relative to old-AP 14 and new-AP 114 as nlobile terminal nioves from cell 18 to cell 118. In this figure a mobile terminal or MT is also referred to using the term "mt", and an access point or AP is also referred to using the term "ap".
With reference to FIG. 4A, forwai-d handover process 20 is initiated at mobile terminal 12 by the yes output 400 of eve t 401 indicating that handover is required. Mobile terminal 12 now operates at function 402 to activate its radio handover function.
At function 403 mobile terminal 12 generates a challenge to new-AP 114, whereupon at function 404 a MAC_REASSOCIATE_REQ message that contains "nlt_challenge" is sent to new-AY 1 14.
At function 405, new-AP 114 accepts message 404, whereupon new-AI' 114 operates at function 406 to send a handover request to old-AP 14.
Old-AP 14 now operates at funetion 407 to retrieve security association parameters SA,SA from its security association database. Old-AP 14 then operates at function 408 to send a handover request that contains the parameters SA,SA to new-AP 114.
With reference to FIG. 4B, new-AP 1 14 now operates at function 409 to create a security association (SA), opei-ates at function 410 to generate a challenge to authenticate mobile terminal 12, operates at function 411 to calculate a response to the "mt_challenge" that was contained in FIG. 4A's message 404, and operates at function 412 to send a^
MAC_AUTHENTICATE_REQ message to iiiobile terminal 12. Message 412 contains the "ap_response" that was calculated by operation of function 411.
contains the "ap_challenge" that was generated by operation of function 410, and contains "other information".
Mobile terminal 12 now operates at function 413 to update its security association parameters, operates at function 414 to calculate a response to the "ap_challenge" that was received by way of inessa(-,e 412, and operates at function 415 to compare the "ap_response" that was received bv way of message 412 to the correct oi- expected response.
When the comparison performed by function 415 pi-oduces a correct conlpare, function 416 operates to authenticate new-AP 114, whereupon ffiulction 417 operates to send a MAC_AUTHENTICATE_RESP message to new-AP 114, this message containing the "int_response" that was calculated at ffimction 414.
With reference now to FIG. 4C, at function 418 ne\N-AP 114 operates to compare the "mt_response" that it received by way of inessage 417 to the proper or correct response, and when this comparison produces the correct compare, function 419 operates to authenticate niobile tern7inal 12. New-AP
114 then operates at function 420 to send a MAC_REASSOCIATE_RESP
message to mobile terminal 12, whereupon handover is completed and mobile terminal 12 thereafter operates at function 421 to resume its payload traffic using new-AP 114.
FIGS 5A-5C provide another showing of backward handover process 30 wherein communication handover is provided i'or niobile ternlinal 12 relative to old-AP 14 and new-AP 114. In this figui-e a mobile tei-minal or MT is also referred to using the term "mt", and an access point or AP is also referred to using the term "ap".
Witll reference to FIG. 5A, backward handover process 30 is initiated at mobile terminal 12 by the yes output 500 of event 501 indicating that handover is required. Mobile terminal 12 now operates at function 502 to send a handover request to old-AP 14.
When messaue 502 is received at old-AP 14. function 503) accepts thr messa-e, t'unction 504 operates io rrtriex-c ,rcurity association parameters SA.SA from its securivv association is:\ idata haac. and I'uuction SU5 operates tn send a handover request that contains lhe parameters SA.SA to nexv-AP
5 114.
Usin~~ the parameters SA.SA that were received in message 505. new-AP 114 noxv operates at funetion 506 to create its o\%*n securitV assuciation (SA).
New-AP 114 then operates at function 507 tu generate a challenue to 10 authenticate mobile terminal 12. and at f11nction 506 a handover request is sent to old-AP 14. this request 50 incluLlinLI the "ap_chalirn~~e" that was L,enerated at function 507, and "other informution".
With reference now to FIG. 5B, in response to message 508, old-AP 14 15 operates at function 509 to send a MAC_DISASSOCIATE message to mobile terminal 12, this message containing the "ap_challenge" and the "other information" that was old-AP 14 received from new-AP 114 by way of messa-e 508.
20 In response to messaUe 509, mobilz termitwl 12 activates its radio handover function at 510. At function 511 mobile terminal 12 now updates its securitv association parameters, at f'unction 512 mobile terniinal 12 operates to calculate a response to the "ap_challenue" portion of niessages 508 and 509.
at function 513 mobile terminal 12 operates to generate a challenge to authenticate new-AP 114. and at f'tunctiun 5 14 mubile terminLtl 12 ,end a MAC_REASSOCIATE_REQ messa,_e lo ncw-Al' 114. Message 514 contains the "mt_response" that was calculated at funclion 512. tlte "mt_challen2e"
that was generated at function 513. and -other information".
With reference now to FIG. 5C, functiou 515 provides authentication of mobile terminal 12, function 516 compares the "n-it_response" that was received by way of n7essage 513 to the correct or expected response, function 517 calculates a response to the "nit_challenue" that Nvas received by Nvay of message 513, and function 518 operates to send a MACREASSOCIATERESP ENH message to mobile terminal 12, inessage 518 containing the "ap_response" that was calculated by finzction 517.
At function 5 1 9 mobile terminal 1 2 opel-ates to authenticate ne~v-AP 1 14 by comparing at function 520 the "ap_response" contained in message 518 with the correct or expected response, and as a result of this cori-ect conlparison, function 521 causes n7obile terminal 12 to i-esume payload traffic using new-AP 114.
From the above it can be seen that the present invention provides a method/apparatus the provides for information security when communication with a given mobile-terminal 12 is handed-over from a first access-point 14 to a second access-point 114. A con7munication system 10 is provided having a plurality of access-points, each access point serving a different geographic area that is within an overall geocraphic area that is served by conlmunication systenl 10, and a plurality of rnobile-tei-minals 12 ai-e provided wlierein the mobile-tern7inals are individually physically moveable witllin the overall geographic area and between the different geographic areas.
In the handover process/apparatus of the invention, first it is sensed wlhen a given mobile-terminal 12 nioves froni a communication-influence with a first access-point 14 into a coniniunication-influence with a second access-point 114 (see 401 of FIG. 4A and 501 of FIG. 5A).
When such a move is sensed. securit~?-association-parameters are i'etched !'rom first access-point 14 (see 407 ui'1716. -lA and 504 c,l'1=1C_;. 5A). a sccurit\=
association is created at seeond access point 114 in accordance with thr retrieved security-association-parameters i ser 401) of' I-IG. 4B and 506 o1' FIIi.
5A). and a security association created at `_iven mobile-terminal 12 in accordance with the retrieved security-association-parameters (see 413 of FIG. 4B and 511 of FIG. 5B).
Also. when such a move is sensed. an authenticcue-a,:cess-puint-challen_e is sent from given niobile-terniinal 12 to the strond access-point 114 (see 404 ot' FIG. 4A and 514 of FIG. 5B), and an authenticate-mobile-terniinal-challen,~e is sent froni second access-point 114 to given mobile-terminal 12 (see 412 ot' FIG. 4B and 508 of FIG. 5A). Note that the above described access-point-challenge is an optional feature of' the invention.
In response to the authenticate-access-point-challenge that is received from tiven mobile-terminal 12, second access-point 114 now generates an authenticate-access-point-response (see 411 of FIG. 4B and 517 of FIG. 5C), and this authenticate-access-point-response is sent to given mobile terminal 12 (see 412 of FIG. 4B and 518 of' FIG. 5C ).
In response to the authenticate-mobile-terminal-challen,,e that is received ,liven mobile-ternlinal 121 now calculates an from second access-point 114, authenticate-mobile-terminal-response Iser -114 of' Flv. 4B and 512 of FIG.
5B). and tliis authenticate-mobile-terminal-respunse is sent to second access-point 114 (see =117 of FIG. 4B and 514 of' FIG. >B).
A first-compare at given mobile-terminal 11- now operates to conipare the authenticate-access-point-response that is received from second access-point 114 to a correct or an expected response (see 415 of FIG. 4B and 520 of FIG.
5C), and a second-compare at second, access-point 114 now operates to compare the authenticate-mobile-terminal-response that is received from given mobile-terminal 12 to a correct or an expected response (see 418 of FIG 4C and 516 ofFiG. SC).
Finally, communicatioll is initiated between given mobile-terminal 12 and second access-point 114 based upon the outcome of the first-compare and the second-compare (see 421 of F1G, 4C and 521 of FIG. SC).
FIGS. 6 and 7 show two additional embodiments of the invention. While the specific details of the FIGS. 6 and 7 embodiments differ in the specific details thereof, the content of the FIGS. 6 and 7 embodimenss wiA be readily apparent by way of a comparison to the above-described FIG. 2, 3, 4A-4C, and 5A-5C, embodiments of the invention.
While the invention has been described in detail while making reference to prefened embodiments thereof, no part of this detailed description is not to be taken as a limitation on the spirit and scope of the invention, since it is known that others skilled in this art will readily visualize yet other embodiments that are within the scope of this invention once the invention is generally known as defined by the appended claims.
Claims (16)
1. In a communication system having a plurality of access-points, each access-point serving a different geographic area within an overall geographic area that is served by said communication system, said communication system further having a plurality of mobile-terminals that are each physically moveable within said overall geographic area and between said different geographic areas, a method of providing information security when communication with a given mobile-terminal is handed-over from a first access-point to a second access-point, comprising the steps of:
sensing when said given mobile-terminal moves from a communication-influence with said first access-point into a communication-influence with said second access-point;
responding to said sensing step by retrieving security-association-parameters from said first access-point, by creating a security association at said second access-point in accordance with said retrieved security-association-parameters, and by creating a security association at said given mobile-terminal in accordance with said retrieved security-association-parameters;
responding to said sensing step by sending an authenticate-access-point-challenge from said given mobile-terminal to said second access-point, and by sending an authenticate-mobile-terminal-challenge from said second access-point to said given mobile-terminal;
generating an authenticate-access-point-response at said second access-point in response to said authenticate-access-point-challenge received from said given mobile-terminal;
sending said authenticate-access-point-response to said given mobile-terminal;
generating an authenticate-mobile-terminal-response at said given mobile-terminal in response to said authenticate-mobile-terminal-challenge received from said second access-point;
sending said authenticate-mobile-terminal-response to said second access-point;
first-comparing said authenticate-access-point-response to a correct response at said given mobile-terminal; and second-comparing said authenticate-mobile-terminal-response to a correct response at said second access-point.
sensing when said given mobile-terminal moves from a communication-influence with said first access-point into a communication-influence with said second access-point;
responding to said sensing step by retrieving security-association-parameters from said first access-point, by creating a security association at said second access-point in accordance with said retrieved security-association-parameters, and by creating a security association at said given mobile-terminal in accordance with said retrieved security-association-parameters;
responding to said sensing step by sending an authenticate-access-point-challenge from said given mobile-terminal to said second access-point, and by sending an authenticate-mobile-terminal-challenge from said second access-point to said given mobile-terminal;
generating an authenticate-access-point-response at said second access-point in response to said authenticate-access-point-challenge received from said given mobile-terminal;
sending said authenticate-access-point-response to said given mobile-terminal;
generating an authenticate-mobile-terminal-response at said given mobile-terminal in response to said authenticate-mobile-terminal-challenge received from said second access-point;
sending said authenticate-mobile-terminal-response to said second access-point;
first-comparing said authenticate-access-point-response to a correct response at said given mobile-terminal; and second-comparing said authenticate-mobile-terminal-response to a correct response at said second access-point.
2. The method of claim 1 wherein said plurality of mobile-terminals have a media access control layer and compatible physical layers, and wherein said authenticate-access-point-challenge, authenticate-mobile-terminal-challenge and authenticate-mobile-terminal-response are media access control messages.
3. The method of claim 2 wherein said messages are transmitted within a wireless local area network (WLAN).
4. The method of claim 3 wherein said WLAN is one of IEEE 802.11 and HIPERLAN.
5. The method of claim 2 wherein said communication system is a WLAN
communication system wherein a security protocol is used to provide end-to-end security for data packets.
communication system wherein a security protocol is used to provide end-to-end security for data packets.
6. The method of claim 5 wherein said end-to-end security is provided by at least one of authenticating and encrypting said data packets, and wherein said security protocol provides symmetric cryptography requiring use of at least one of a same encryption and authentication key at both ends of a communication link.
7. The method of claim 6 wherein a sealable key management protocol operates to generate symmetric keys for said security protocol.
8. The method of claim 6 including the steps of:
providing a session dependent dynamic encryption key between said given mobile-terminal and said second access-point; and transferring an active security association from said first access-point to said second access-point as said given mobile-terminal moves within communication coverage that is provided by said communication system.
providing a session dependent dynamic encryption key between said given mobile-terminal and said second access-point; and transferring an active security association from said first access-point to said second access-point as said given mobile-terminal moves within communication coverage that is provided by said communication system.
9. The method of claim 4 including the steps of:
providing said communications system as a LAN;
providing a server within said LAN; and providing key management and security association re-establishment within said LAN during a communication handover, without requiring a modification to an end-to-end security association, as communication continues during said communications handover, such that said communications handover affects only security functions between said mobile-terminal and said first and second access-points.
providing said communications system as a LAN;
providing a server within said LAN; and providing key management and security association re-establishment within said LAN during a communication handover, without requiring a modification to an end-to-end security association, as communication continues during said communications handover, such that said communications handover affects only security functions between said mobile-terminal and said first and second access-points.
10. The method of claim 9 wherein said LAN includes Internet Protocol Security based security association between said plurality of access-points and said plurality of mobile-terminals.
11. The method of claim 1 wherein an authentication key is provided for both ends of a communication pair that is made up of said given mobile-terrminal and said first and second access-points, said authentication key being generated by a scalable key management protocol.
12. The method of claim 1 wherein one of an authentication key and security association exists between said given mobile-terminal and said first access-point in accordance with a scalable key management protocol, and wherein security associations are transferred between said plurality of access-points in order to avoid the need for a new key exchange during a communication handover.
13. The method of claim 12 wherein said scalable key management protocol is IKE, and wherein security associations are transferred between said first access-point and said second access-point in a manner to avoid a need for a new key exchange during said communication handover from said first access-point to said second access-point.
14. The method of claim 13 including the step of encrypting messages that carry the key.
15. Apparatus for maintaining a given security-association in a radio communications system when a communication-handover occurs as a mobile-terminal physically moves from a first geographic area that is served by a first communication-access-point to a second geographic area that is served by a second communication-access-point, said mobile-terminal initially forming a first communication-pair with said first communication-access-point, and after said communication-handover, said mobile-terminal forming a second communication-pair with said second communication-access-point, each member of said first communication-pair having said given security-association associated therewith, the apparatus comprising:
first means at said mobile-terminal for sensing a need to initiate said communication-handover;
second means within said radio communications system and responsive to said first means sensing said need to initiate said commuuication-handover for establishing said given, security-association at said second communication-access-point;
third means at said mobile-terminal for generating an access-point-challenge as a function of said given security-association, and for sending said access-point-challenge to said second communication-access-point;
fourth means at said second communication-access-point for generating a mobile-terminal-challenge as a function of said given security-association established at said second communication-access-point, and for sending said mobile-terminal-challenge to said mobile-terminal;
fifth means at said mobile-terminal and responsive to said mobile-terminal-challenge for generating a mobile-terminal-response as a function of said given security-association, and for sending said mobile-terminal-response to said second communication-access-point;
sixth means at said second communication-access-point and responsive to said access-point-challenge for generating an access-point-response as a function of said given security-association established at said second communication-access-point, and for sending said access-point-response to said mobile-terminal;
seventh means at said mobile-terminal and responsive to said access-point-response for determining if said access-point-response is correct as a function of said given security-association;
eighth means at said second communication-access-point and responsive to said mobile-terminal-response for determining if said mobile-terminal-response is correct as a function of said given security-association established at said second communication-access-point; and ninth means within said radio communications system and responsive to said eighth and ninth means for establishing said communication-handover when both said mobile-terminal-response and said access-point-response are correct.
first means at said mobile-terminal for sensing a need to initiate said communication-handover;
second means within said radio communications system and responsive to said first means sensing said need to initiate said commuuication-handover for establishing said given, security-association at said second communication-access-point;
third means at said mobile-terminal for generating an access-point-challenge as a function of said given security-association, and for sending said access-point-challenge to said second communication-access-point;
fourth means at said second communication-access-point for generating a mobile-terminal-challenge as a function of said given security-association established at said second communication-access-point, and for sending said mobile-terminal-challenge to said mobile-terminal;
fifth means at said mobile-terminal and responsive to said mobile-terminal-challenge for generating a mobile-terminal-response as a function of said given security-association, and for sending said mobile-terminal-response to said second communication-access-point;
sixth means at said second communication-access-point and responsive to said access-point-challenge for generating an access-point-response as a function of said given security-association established at said second communication-access-point, and for sending said access-point-response to said mobile-terminal;
seventh means at said mobile-terminal and responsive to said access-point-response for determining if said access-point-response is correct as a function of said given security-association;
eighth means at said second communication-access-point and responsive to said mobile-terminal-response for determining if said mobile-terminal-response is correct as a function of said given security-association established at said second communication-access-point; and ninth means within said radio communications system and responsive to said eighth and ninth means for establishing said communication-handover when both said mobile-terminal-response and said access-point-response are correct.
16. The apparatus of claim 15 wherein said radio communications system is selected from the group comprising IEEE 802.11 and HIPERLAN.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/447,761 US6587680B1 (en) | 1999-11-23 | 1999-11-23 | Transfer of security association during a mobile terminal handover |
US09/447,761 | 1999-11-23 | ||
PCT/IB2000/001713 WO2001039538A1 (en) | 1999-11-23 | 2000-11-21 | Transfer of security association during a mobile terminal handover |
Publications (2)
Publication Number | Publication Date |
---|---|
CA2391996A1 CA2391996A1 (en) | 2001-05-31 |
CA2391996C true CA2391996C (en) | 2010-01-12 |
Family
ID=23777644
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002391996A Expired - Lifetime CA2391996C (en) | 1999-11-23 | 2000-11-21 | Transfer of security association during a mobile terminal handover |
Country Status (14)
Country | Link |
---|---|
US (1) | US6587680B1 (en) |
EP (1) | EP1232662B1 (en) |
JP (1) | JP4639020B2 (en) |
KR (1) | KR100589761B1 (en) |
CN (1) | CN1199510C (en) |
AT (1) | ATE492997T1 (en) |
AU (1) | AU1293301A (en) |
BR (1) | BRPI0015774B1 (en) |
CA (1) | CA2391996C (en) |
DE (1) | DE60045421D1 (en) |
DK (1) | DK1232662T3 (en) |
ES (1) | ES2354957T3 (en) |
WO (1) | WO2001039538A1 (en) |
ZA (1) | ZA200204037B (en) |
Families Citing this family (229)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6360100B1 (en) | 1998-09-22 | 2002-03-19 | Qualcomm Incorporated | Method for robust handoff in wireless communication system |
US6418130B1 (en) * | 1999-01-08 | 2002-07-09 | Telefonaktiebolaget L M Ericsson (Publ) | Reuse of security associations for improving hand-over performance |
US7882247B2 (en) * | 1999-06-11 | 2011-02-01 | Netmotion Wireless, Inc. | Method and apparatus for providing secure connectivity in mobile and other intermittent computing environments |
GB9921706D0 (en) * | 1999-09-14 | 1999-11-17 | Nokia Telecommunications Oy | Relocation in a communication system |
DE19956318A1 (en) * | 1999-11-23 | 2001-05-31 | Bosch Gmbh Robert | Method for controlling transmission of information specific for the radio transmission protocol i.e. for communication between subscribers of the wireless component of LANs via the core network |
US7486952B1 (en) * | 2000-02-09 | 2009-02-03 | Alcatel-Lucent Usa Inc. | Facilitated security for handoff in wireless communications |
US6834192B1 (en) * | 2000-07-03 | 2004-12-21 | Nokia Corporation | Method, and associated apparatus, for effectuating handover of communications in a bluetooth, or other, radio communication system |
DE10039532B4 (en) * | 2000-08-08 | 2006-05-11 | Walke, Bernhard, Prof. Dr.-Ing | Mutual control of radio systems of different standards in the same frequency band |
JP4187935B2 (en) * | 2000-08-23 | 2008-11-26 | 株式会社東芝 | RADIO COMMUNICATION SYSTEM, TRANSMITTING DEVICE, RECEIVING DEVICE, AND CONTENT DATA TRANSFER METHOD |
US7165173B1 (en) * | 2000-09-01 | 2007-01-16 | Samsung Electronics Co., Ltd. | System and method for secure over-the-air administration of a wireless mobile station |
US7596223B1 (en) * | 2000-09-12 | 2009-09-29 | Apple Inc. | User control of a secure wireless computer network |
US7107051B1 (en) * | 2000-09-28 | 2006-09-12 | Intel Corporation | Technique to establish wireless session keys suitable for roaming |
US6922557B2 (en) * | 2000-10-18 | 2005-07-26 | Psion Teklogix Inc. | Wireless communication system |
FI111423B (en) * | 2000-11-28 | 2003-07-15 | Nokia Corp | A system for securing post-handover communications |
US20020067831A1 (en) * | 2000-12-05 | 2002-06-06 | Sony Corporation | IP-based architecture for mobile computing networks |
US7143154B2 (en) * | 2001-01-26 | 2006-11-28 | Lucent Technologies Inc. | Internet protocol security framework utilizing predictive security association re-negotiation |
US20020157024A1 (en) * | 2001-04-06 | 2002-10-24 | Aki Yokote | Intelligent security association management server for mobile IP networks |
US20020147820A1 (en) * | 2001-04-06 | 2002-10-10 | Docomo Communications Laboratories Usa, Inc. | Method for implementing IP security in mobile IP networks |
US20020174175A1 (en) * | 2001-04-23 | 2002-11-21 | Sony Corporation | IP-based architecture for mobile computing networks |
US20020197979A1 (en) * | 2001-05-22 | 2002-12-26 | Vanderveen Michaela Catalina | Authentication system for mobile entities |
US7009952B1 (en) * | 2001-05-24 | 2006-03-07 | 3Com Corporation | Method and apparatus for seamless mobility with layer two assistance |
US7483411B2 (en) | 2001-06-04 | 2009-01-27 | Nec Corporation | Apparatus for public access mobility LAN and method of operation thereof |
US7680085B2 (en) | 2001-07-24 | 2010-03-16 | Symbol Technologies, Inc. | Out-of-band management and traffic monitoring for wireless access points |
EP1289199B1 (en) * | 2001-09-03 | 2005-04-13 | Sony International (Europe) GmbH | Optimizing Data Traffic in an ad-hoc established device network |
US7370352B2 (en) | 2001-09-06 | 2008-05-06 | Intel Corporation | Techniques for storing and retrieving security information corresponding to cryptographic operations to support cryptographic processing for multiple network traffic streams |
FI116025B (en) * | 2001-09-28 | 2005-08-31 | Netseal Mobility Technologies | A method and network to ensure the secure transmission of messages |
FI116027B (en) * | 2001-09-28 | 2005-08-31 | Netseal Mobility Technologies | A method and system to ensure the secure transmission of messages |
US6862082B1 (en) | 2001-10-05 | 2005-03-01 | Cisco Technology, Inc. | System and method for handover execution in a wireless environment |
US20030084287A1 (en) * | 2001-10-25 | 2003-05-01 | Wang Huayan A. | System and method for upper layer roaming authentication |
US7577425B2 (en) * | 2001-11-09 | 2009-08-18 | Ntt Docomo Inc. | Method for securing access to mobile IP network |
US7443835B2 (en) * | 2001-12-03 | 2008-10-28 | Nokia Corporation | Policy based mechanisms for selecting access routers and mobile context |
US7483984B1 (en) * | 2001-12-19 | 2009-01-27 | Boingo Wireless, Inc. | Method and apparatus for accessing networks by a mobile device |
JP2003198557A (en) * | 2001-12-26 | 2003-07-11 | Nec Corp | Network, and wireless lan authenticating method to be used therefor |
JP2003204326A (en) * | 2002-01-09 | 2003-07-18 | Nec Corp | Communication system, lan controller equipped with encryption function and communication control program |
FI118170B (en) | 2002-01-22 | 2007-07-31 | Netseal Mobility Technologies | A method and system for transmitting a message over a secure connection |
KR20030063502A (en) * | 2002-01-22 | 2003-07-31 | 프로모바일테크 주식회사 | Wireless LAN System for prcessing Internet service roaming of mobile device and method thereof |
US6990343B2 (en) * | 2002-03-14 | 2006-01-24 | Texas Instruments Incorporated | Context block leasing for fast handoffs |
KR100473004B1 (en) * | 2002-03-20 | 2005-03-09 | 에스케이 텔레콤주식회사 | Inter-Access Point Roaming Method |
EP1496711A1 (en) * | 2002-04-17 | 2005-01-12 | NEC Corporation | Handover control method |
US7103359B1 (en) * | 2002-05-23 | 2006-09-05 | Nokia Corporation | Method and system for access point roaming |
US20040014422A1 (en) * | 2002-07-19 | 2004-01-22 | Nokia Corporation | Method and system for handovers using service description data |
JP4000933B2 (en) * | 2002-07-19 | 2007-10-31 | ソニー株式会社 | Wireless information transmission system, wireless communication method, and wireless terminal device |
FR2843522B1 (en) * | 2002-08-12 | 2004-10-15 | Evolium Sas | METHOD FOR PROTECTING THE INTEGRITY OF MESSAGES TRANSMITTED IN A MOBILE RADIO COMMUNICATION SYSTEM |
KR100485355B1 (en) * | 2002-09-17 | 2005-04-28 | 한국전자통신연구원 | Inter-Distribution system handoff method in WLANs |
EP1978710B1 (en) | 2002-09-17 | 2013-07-10 | Broadcom Corporation | System for transfer of authentication during access device handover |
US20040054798A1 (en) * | 2002-09-17 | 2004-03-18 | Frank Ed H. | Method and system for providing seamless connectivity and communication in a multi-band multi-protocol hybrid wired/wireless network |
US7787419B2 (en) * | 2002-09-17 | 2010-08-31 | Broadcom Corporation | System and method for providing a mesh network using a plurality of wireless access points (WAPs) |
KR100501158B1 (en) * | 2002-09-18 | 2005-07-18 | 에스케이 텔레콤주식회사 | Roaming Method Between Access Point in WLAN |
KR100549918B1 (en) * | 2002-09-28 | 2006-02-06 | 주식회사 케이티 | Roaming service method for public wireless LAN service |
KR100480258B1 (en) * | 2002-10-15 | 2005-04-07 | 삼성전자주식회사 | Authentication method for fast hand over in wireless local area network |
EP1411701A3 (en) * | 2002-10-18 | 2007-07-11 | Buffalo Inc. | Wireless access authentication technology for wide area networks |
KR100448318B1 (en) | 2002-11-08 | 2004-09-16 | 삼성전자주식회사 | Method for hand-off in a wileless network |
US7792527B2 (en) * | 2002-11-08 | 2010-09-07 | Ntt Docomo, Inc. | Wireless network handoff key |
US7346772B2 (en) * | 2002-11-15 | 2008-03-18 | Cisco Technology, Inc. | Method for fast, secure 802.11 re-association without additional authentication, accounting and authorization infrastructure |
US7248877B2 (en) | 2002-11-21 | 2007-07-24 | Bandspeed, Inc. | Multiple access wireless communications architecture |
US7512404B2 (en) | 2002-11-21 | 2009-03-31 | Bandspeed, Inc. | Method and apparatus for sector channelization and polarization for reduced interference in wireless networks |
US7136655B2 (en) | 2002-11-21 | 2006-11-14 | Bandspeed, Inc. | Method and apparatus for coverage and throughput enhancement in a wireless communication system |
KR100501323B1 (en) * | 2002-12-16 | 2005-07-18 | 삼성전자주식회사 | Method and Apparatus for the realization of mobility by using WLAN Voice terminal at the ISDN switching system |
US7212828B2 (en) * | 2002-12-31 | 2007-05-01 | International Business Machines Corporation | Monitoring changeable locations of client devices in wireless networks |
MXPA05007445A (en) * | 2003-01-09 | 2005-09-12 | Thomson Licensing Sa | Method and apparatus for banding multiple access points. |
US20040181692A1 (en) * | 2003-01-13 | 2004-09-16 | Johanna Wild | Method and apparatus for providing network service information to a mobile station by a wireless local area network |
KR100580244B1 (en) * | 2003-01-23 | 2006-05-16 | 삼성전자주식회사 | A handoff method in wirelessLAN |
CN100342695C (en) * | 2003-01-27 | 2007-10-10 | 华为技术有限公司 | A method for controlling Ethernet port authority by 802.1X |
US7668541B2 (en) | 2003-01-31 | 2010-02-23 | Qualcomm Incorporated | Enhanced techniques for using core based nodes for state transfer |
US8019362B2 (en) * | 2003-02-07 | 2011-09-13 | Sybase 365, Inc. | Universal short code administration facility |
US20040236939A1 (en) * | 2003-02-20 | 2004-11-25 | Docomo Communications Laboratories Usa, Inc. | Wireless network handoff key |
JP4242666B2 (en) * | 2003-02-26 | 2009-03-25 | モトローラ・インコーポレイテッド | Wireless packet communication method and wireless packet communication system |
EP1471407B1 (en) * | 2003-03-31 | 2008-01-16 | Broadcom Corporation | Providing seamless connectivity between multiple communication bands having different communication protocols in a hybrid wired/wireless network |
KR20060003359A (en) * | 2003-04-18 | 2006-01-10 | 코닌클리케 필립스 일렉트로닉스 엔.브이. | Secret identifier for renewed subscription |
US7181196B2 (en) * | 2003-05-15 | 2007-02-20 | Lucent Technologies Inc. | Performing authentication in a communications system |
US6987985B2 (en) * | 2003-06-06 | 2006-01-17 | Interdigital Technology Corporation | Wireless communication components and methods for multiple system communications |
EP1492273A3 (en) * | 2003-06-26 | 2006-01-04 | Broadcom Corporation | Method for providing seamless connectivity and communication in a multi-band multi-protocol hybrid/wireless network |
KR20060031867A (en) * | 2003-07-15 | 2006-04-13 | 코닌클리즈케 필립스 일렉트로닉스 엔.브이. | Method to achieve fast active scan in 802.11 wlan |
US7447177B2 (en) * | 2003-08-26 | 2008-11-04 | Intel Corporation | Method and apparatus of secure roaming |
US6980535B2 (en) | 2003-08-28 | 2005-12-27 | Motorola, Inc. | Passive probing for handover in a local area network |
KR100689508B1 (en) * | 2003-09-04 | 2007-03-02 | 삼성전자주식회사 | Method for performing handover in a communication system |
WO2005027557A1 (en) * | 2003-09-12 | 2005-03-24 | Ntt Docomo, Inc. | Seamless handover in heterogeneous network |
US20080253329A1 (en) * | 2003-12-11 | 2008-10-16 | Matsushita Electric Industrial Co., Ltd. | Communication Handover Method, Communication System, Communication Message Processing Method, and Communication Message Processing Program |
US7735120B2 (en) * | 2003-12-24 | 2010-06-08 | Apple Inc. | Server computer issued credential authentication |
EP1704707A2 (en) * | 2004-01-15 | 2006-09-27 | Nokia Corporation | Techniques for updating security-related parameters for mobile stations |
EP1562340A1 (en) * | 2004-02-05 | 2005-08-10 | Siemens Aktiengesellschaft | Method and apparatus for establishing a temporary secure connection between a mobile network node and an access network node during a data transmission handover |
US7710923B2 (en) * | 2004-05-07 | 2010-05-04 | Interdigital Technology Corporation | System and method for implementing a media independent handover |
CN1951128B (en) * | 2004-05-07 | 2012-05-09 | 美商内数位科技公司 | System and method for implementing a media independent handover |
DE102004026495A1 (en) * | 2004-05-27 | 2005-12-22 | Detewe Deutsche Telephonwerke Aktiengesellschaft & Co. Kg | Method for operating a data connection |
US20050266826A1 (en) * | 2004-06-01 | 2005-12-01 | Nokia Corporation | Method for establishing a security association between a wireless access point and a wireless node in a UPnP environment |
JP4013920B2 (en) * | 2004-06-02 | 2007-11-28 | 日本電気株式会社 | COMMUNICATION SYSTEM, COMMUNICATION DEVICE, ITS OPERATION CONTROL METHOD, AND PROGRAM |
KR100640479B1 (en) * | 2004-06-07 | 2006-10-30 | 삼성전자주식회사 | System and method for optimizing handover procedure in mobile broadband wireless access system |
US7302264B2 (en) * | 2004-06-11 | 2007-11-27 | Samsung Electronics Co., Ltd. | System and method for fast network re-entry in a broadband wireless access communication system |
US8688834B2 (en) * | 2004-07-09 | 2014-04-01 | Toshiba America Research, Inc. | Dynamic host configuration and network access authentication |
US8019344B2 (en) * | 2004-08-11 | 2011-09-13 | Nokia Corporation | Apparatus, and associated methods, for facilitating secure, make-before-break hand-off in a radio communication system |
US20080318571A1 (en) * | 2004-08-31 | 2008-12-25 | Jari Tapio Vikberg | Method and System to Assign Mobile Stations to an Unlicensed Mobile Access Network Controller in an Unlicensed Radio Access Network |
KR101103445B1 (en) * | 2004-08-31 | 2012-01-09 | 텔레폰악티에볼라겟엘엠에릭슨(펍) | Limit redirections in an unlicensed mobile access network |
DE102004042220A1 (en) * | 2004-09-01 | 2006-04-06 | Deutsche Telekom Ag | Mobile terminal`s access point changing method for e.g. LAN, involves establishing contact between terminal and neighboring access point during handover based on point`s identification data that is stored in table maintained for each point |
US20060046690A1 (en) * | 2004-09-02 | 2006-03-02 | Rose Gregory G | Pseudo-secret key generation in a communications system |
US8233450B2 (en) * | 2004-09-10 | 2012-07-31 | Interdigital Technology Corporation | Wireless communication methods and components for facilitating multiple network type compatibility |
US7236477B2 (en) * | 2004-10-15 | 2007-06-26 | Motorola, Inc. | Method for performing authenticated handover in a wireless local area network |
US7461398B2 (en) * | 2004-10-21 | 2008-12-02 | At&T Intellectual Property I, L.P., By Transfer Of Ownership From At&T Delaware Intellectual Property, Inc. | Methods, systems, and computer program products for dynamic management of security parameters during a communications session |
US20060089121A1 (en) * | 2004-10-27 | 2006-04-27 | Hani Elgebaly | Method and apparatus for automatic connecting of virtual private network clients to a network |
US20060095767A1 (en) * | 2004-11-04 | 2006-05-04 | Nokia Corporation | Method for negotiating multiple security associations in advance for usage in future secure communication |
US7738871B2 (en) * | 2004-11-05 | 2010-06-15 | Interdigital Technology Corporation | Wireless communication method and system for implementing media independent handover between technologically diversified access networks |
US7469155B2 (en) * | 2004-11-29 | 2008-12-23 | Cisco Technology, Inc. | Handheld communications device with automatic alert mode selection |
CN101120609A (en) * | 2004-12-21 | 2008-02-06 | 松下电器产业株式会社 | Access network system, base station device, network connection device, mobile terminal, and authentication method |
US7990998B2 (en) * | 2004-12-22 | 2011-08-02 | Qualcomm Incorporated | Connection setup using flexible protocol configuration |
US8254347B2 (en) * | 2004-12-31 | 2012-08-28 | Alcatel Lucent | Methods and devices for associating a mobile device to access points within a WLAN |
US20060217147A1 (en) * | 2005-01-18 | 2006-09-28 | Interdigital Technology Corporation | Method and system for system discovery and user selection |
US20060159047A1 (en) * | 2005-01-18 | 2006-07-20 | Interdigital Technology Corporation | Method and system for context transfer across heterogeneous networks |
CA2600830A1 (en) * | 2005-03-15 | 2006-09-21 | Trapeze Networks, Inc. | System and method for distributing keys in a wireless network |
WO2006102565A2 (en) * | 2005-03-23 | 2006-09-28 | Nortel Networks Limited | Optimized derivation of handover keys in mobile ipv6 |
US7669230B2 (en) * | 2005-03-30 | 2010-02-23 | Symbol Technologies, Inc. | Secure switching system for networks and method for securing switching |
US20060240802A1 (en) * | 2005-04-26 | 2006-10-26 | Motorola, Inc. | Method and apparatus for generating session keys |
US7746825B2 (en) * | 2005-05-16 | 2010-06-29 | Interdigital Technology Corporation | Method and system for integrating media independent handovers |
US7394800B2 (en) * | 2005-06-30 | 2008-07-01 | Intel Corporation | Reservation with access points |
TWI393414B (en) * | 2005-07-06 | 2013-04-11 | Nokia Corp | Secure session keys context |
KR100705579B1 (en) * | 2005-08-01 | 2007-04-10 | 삼성전자주식회사 | System and Method for Performing Handoffs Using Hybrid Network |
US8428238B2 (en) * | 2005-08-03 | 2013-04-23 | Cisco Technology, Inc. | System and method for ensuring call privacy in a shared telephone environment |
CN100450295C (en) * | 2005-08-24 | 2009-01-07 | 华为技术有限公司 | Method of controlling position renewing |
US20070047726A1 (en) * | 2005-08-25 | 2007-03-01 | Cisco Technology, Inc. | System and method for providing contextual information to a called party |
JP4681990B2 (en) * | 2005-09-06 | 2011-05-11 | ソフトバンクBb株式会社 | Communication system and communication system |
US9078084B2 (en) | 2005-12-22 | 2015-07-07 | Qualcomm Incorporated | Method and apparatus for end node assisted neighbor discovery |
CN1937840B (en) * | 2005-09-19 | 2011-04-13 | 华为技术有限公司 | Method and device for obtaining safety alliance information during mobile terminal switching |
US8982835B2 (en) | 2005-09-19 | 2015-03-17 | Qualcomm Incorporated | Provision of a move indication to a resource requester |
US8983468B2 (en) | 2005-12-22 | 2015-03-17 | Qualcomm Incorporated | Communications methods and apparatus using physical attachment point identifiers |
US8982778B2 (en) | 2005-09-19 | 2015-03-17 | Qualcomm Incorporated | Packet routing in a wireless communications environment |
US8509799B2 (en) | 2005-09-19 | 2013-08-13 | Qualcomm Incorporated | Provision of QoS treatment based upon multiple requests |
US9736752B2 (en) | 2005-12-22 | 2017-08-15 | Qualcomm Incorporated | Communications methods and apparatus using physical attachment point identifiers which support dual communications links |
US9066344B2 (en) * | 2005-09-19 | 2015-06-23 | Qualcomm Incorporated | State synchronization of access routers |
CN1941695B (en) * | 2005-09-29 | 2011-12-21 | 华为技术有限公司 | Method and system for generating and distributing key during initial access network process |
KR100742362B1 (en) * | 2005-10-04 | 2007-07-25 | 엘지전자 주식회사 | Method and apparatus for securitily sending/receiving contents in mobile network |
US7573859B2 (en) | 2005-10-13 | 2009-08-11 | Trapeze Networks, Inc. | System and method for remote monitoring in a wireless network |
US7551619B2 (en) | 2005-10-13 | 2009-06-23 | Trapeze Networks, Inc. | Identity-based networking |
WO2007044986A2 (en) | 2005-10-13 | 2007-04-19 | Trapeze Networks, Inc. | System and method for remote monitoring in a wireless network |
US8638762B2 (en) | 2005-10-13 | 2014-01-28 | Trapeze Networks, Inc. | System and method for network integrity |
US7724703B2 (en) | 2005-10-13 | 2010-05-25 | Belden, Inc. | System and method for wireless network monitoring |
KR101137340B1 (en) * | 2005-10-18 | 2012-04-19 | 엘지전자 주식회사 | Method of Providing Security for Relay Station |
US8250587B2 (en) | 2005-10-27 | 2012-08-21 | Trapeze Networks, Inc. | Non-persistent and persistent information setting method and system for inter-process communication |
US20070106778A1 (en) * | 2005-10-27 | 2007-05-10 | Zeldin Paul E | Information and status and statistics messaging method and system for inter-process communication |
US7848513B2 (en) | 2005-12-08 | 2010-12-07 | Samsung Electronics Co., Ltd. | Method for transmitting security context for handover in portable internet system |
US8243895B2 (en) * | 2005-12-13 | 2012-08-14 | Cisco Technology, Inc. | Communication system with configurable shared line privacy feature |
US7864731B2 (en) * | 2006-01-04 | 2011-01-04 | Nokia Corporation | Secure distributed handover signaling |
US8064948B2 (en) * | 2006-01-09 | 2011-11-22 | Cisco Technology, Inc. | Seamless roaming for dual-mode WiMax/WiFi stations |
US20070168520A1 (en) * | 2006-01-13 | 2007-07-19 | Matsushita Electric Industrial Co., Ltd. | Network layer end-point transfer |
CN101022647B (en) * | 2006-02-15 | 2010-09-08 | 华为技术有限公司 | Realizing method and device for determining safe consultation parameter in switching process |
US8228867B2 (en) * | 2006-02-21 | 2012-07-24 | Telefonaktiebolaget Lm Ericsson (Publ) | Handover in a wireless network back to a restricted local access point from an unrestricted global access point |
US9083355B2 (en) | 2006-02-24 | 2015-07-14 | Qualcomm Incorporated | Method and apparatus for end node assisted neighbor discovery |
US8503621B2 (en) * | 2006-03-02 | 2013-08-06 | Cisco Technology, Inc. | Secure voice communication channel for confidential messaging |
US20070214040A1 (en) * | 2006-03-10 | 2007-09-13 | Cisco Technology, Inc. | Method for prompting responses to advertisements |
US20070214041A1 (en) * | 2006-03-10 | 2007-09-13 | Cisco Technologies, Inc. | System and method for location-based mapping of soft-keys on a mobile communication device |
EP1838121A1 (en) * | 2006-03-22 | 2007-09-26 | BRITISH TELECOMMUNICATIONS public limited company | Method and apparatus for re-establishing wireless communication sessions |
US8356171B2 (en) | 2006-04-26 | 2013-01-15 | Cisco Technology, Inc. | System and method for implementing fast reauthentication |
US7558266B2 (en) | 2006-05-03 | 2009-07-07 | Trapeze Networks, Inc. | System and method for restricting network access using forwarding databases |
US20070260720A1 (en) * | 2006-05-03 | 2007-11-08 | Morain Gary E | Mobility domain |
US9319967B2 (en) * | 2006-05-15 | 2016-04-19 | Boingo Wireless, Inc. | Network access point detection and use |
US20070268514A1 (en) * | 2006-05-19 | 2007-11-22 | Paul Zeldin | Method and business model for automated configuration and deployment of a wireless network in a facility without network administrator intervention |
US20070268506A1 (en) * | 2006-05-19 | 2007-11-22 | Paul Zeldin | Autonomous auto-configuring wireless network device |
US20070268516A1 (en) * | 2006-05-19 | 2007-11-22 | Jamsheed Bugwadia | Automated policy-based network device configuration and network deployment |
US20070268515A1 (en) * | 2006-05-19 | 2007-11-22 | Yun Freund | System and method for automatic configuration of remote network switch and connected access point devices |
US8966018B2 (en) | 2006-05-19 | 2015-02-24 | Trapeze Networks, Inc. | Automated network device configuration and network deployment |
US8345851B2 (en) * | 2006-05-31 | 2013-01-01 | Cisco Technology, Inc. | Randomized digit prompting for an interactive voice response system |
US7761110B2 (en) * | 2006-05-31 | 2010-07-20 | Cisco Technology, Inc. | Floor control templates for use in push-to-talk applications |
US7577453B2 (en) * | 2006-06-01 | 2009-08-18 | Trapeze Networks, Inc. | Wireless load balancing across bands |
US7912982B2 (en) | 2006-06-09 | 2011-03-22 | Trapeze Networks, Inc. | Wireless routing selection system and method |
US8818322B2 (en) | 2006-06-09 | 2014-08-26 | Trapeze Networks, Inc. | Untethered access point mesh system and method |
US9258702B2 (en) | 2006-06-09 | 2016-02-09 | Trapeze Networks, Inc. | AP-local dynamic switching |
US9191799B2 (en) | 2006-06-09 | 2015-11-17 | Juniper Networks, Inc. | Sharing data between wireless switches system and method |
US7844298B2 (en) * | 2006-06-12 | 2010-11-30 | Belden Inc. | Tuned directional antennas |
JP2008005074A (en) * | 2006-06-21 | 2008-01-10 | Nec Corp | Radio network system, radio base station and method for controlling handover used therefor and base station |
US7724704B2 (en) | 2006-07-17 | 2010-05-25 | Beiden Inc. | Wireless VLAN system and method |
JP4850610B2 (en) | 2006-07-31 | 2012-01-11 | キヤノン株式会社 | COMMUNICATION DEVICE AND ITS CONTROL METHOD |
US8300627B2 (en) * | 2006-08-02 | 2012-10-30 | Cisco Technology, Inc. | Forwarding one or more preferences during call forwarding |
EP1892913A1 (en) | 2006-08-24 | 2008-02-27 | Siemens Aktiengesellschaft | Method and arrangement for providing a wireless mesh network |
US8340110B2 (en) | 2006-09-15 | 2012-12-25 | Trapeze Networks, Inc. | Quality of service provisioning for wireless networks |
US20080072047A1 (en) * | 2006-09-20 | 2008-03-20 | Futurewei Technologies, Inc. | Method and system for capwap intra-domain authentication using 802.11r |
US8072952B2 (en) | 2006-10-16 | 2011-12-06 | Juniper Networks, Inc. | Load balancing |
JP4886463B2 (en) | 2006-10-20 | 2012-02-29 | キヤノン株式会社 | Communication parameter setting method, communication apparatus, and management apparatus for managing communication parameters |
US7840686B2 (en) * | 2006-10-25 | 2010-11-23 | Research In Motion Limited | Method and system for conducting communications over a network |
US20080134556A1 (en) * | 2006-10-25 | 2008-06-12 | Amber Lee Remelin | Biometric thumbprint lock apparatus and method |
US8687785B2 (en) * | 2006-11-16 | 2014-04-01 | Cisco Technology, Inc. | Authorization to place calls by remote users |
US20080151844A1 (en) * | 2006-12-20 | 2008-06-26 | Manish Tiwari | Wireless access point authentication system and method |
WO2008083339A2 (en) | 2006-12-28 | 2008-07-10 | Trapeze Networks, Inc. | Application-aware wireless network system and method |
US7873061B2 (en) * | 2006-12-28 | 2011-01-18 | Trapeze Networks, Inc. | System and method for aggregation and queuing in a wireless network |
US20080175228A1 (en) * | 2007-01-24 | 2008-07-24 | Cisco Technology, Inc. | Proactive quality assessment of voice over IP calls systems |
US8141126B2 (en) | 2007-01-24 | 2012-03-20 | International Business Machines Corporation | Selective IPsec security association recovery |
FI20070094A0 (en) * | 2007-02-02 | 2007-02-02 | Nokia Corp | Changing the radio overlay security algorithm during a handover |
WO2008110996A1 (en) * | 2007-03-12 | 2008-09-18 | Nokia Corporation | Apparatus, method and computer program product providing auxillary handover command |
US8639224B2 (en) * | 2007-03-22 | 2014-01-28 | Cisco Technology, Inc. | Pushing a number obtained from a directory service into a stored list on a phone |
US9155008B2 (en) | 2007-03-26 | 2015-10-06 | Qualcomm Incorporated | Apparatus and method of performing a handoff in a communication network |
CN101304600B (en) | 2007-05-08 | 2011-12-07 | 华为技术有限公司 | Method and system for negotiating safety capability |
CN102413461B (en) * | 2007-05-08 | 2014-06-04 | 华为技术有限公司 | Method for negotiating safety capacity |
CN101309500B (en) | 2007-05-15 | 2011-07-20 | 华为技术有限公司 | Security negotiation method and apparatus when switching between different wireless access technologies |
US8830818B2 (en) * | 2007-06-07 | 2014-09-09 | Qualcomm Incorporated | Forward handover under radio link failure |
US9094173B2 (en) | 2007-06-25 | 2015-07-28 | Qualcomm Incorporated | Recovery from handoff error due to false detection of handoff completion signal at access terminal |
US20090005047A1 (en) * | 2007-06-29 | 2009-01-01 | Vivek Gupta | Media independent vertical handovers |
US8817061B2 (en) * | 2007-07-02 | 2014-08-26 | Cisco Technology, Inc. | Recognition of human gestures by a mobile phone |
US8902904B2 (en) | 2007-09-07 | 2014-12-02 | Trapeze Networks, Inc. | Network assignment based on priority |
US8509128B2 (en) | 2007-09-18 | 2013-08-13 | Trapeze Networks, Inc. | High level instruction convergence function |
US8238942B2 (en) | 2007-11-21 | 2012-08-07 | Trapeze Networks, Inc. | Wireless station location detection |
JP2011507369A (en) * | 2007-12-11 | 2011-03-03 | テレフオンアクチーボラゲット エル エム エリクソン(パブル) | Method and apparatus for generating a radio base station key in a cellular radio system |
US8836502B2 (en) * | 2007-12-28 | 2014-09-16 | Apple Inc. | Personal media device input and output control based on associated conditions |
US8538376B2 (en) * | 2007-12-28 | 2013-09-17 | Apple Inc. | Event-based modes for electronic devices |
JP4965737B2 (en) | 2008-03-28 | 2012-07-04 | テレフオンアクチーボラゲット エル エム エリクソン(パブル) | Identification of tampered or defective base stations during handover |
US8150357B2 (en) | 2008-03-28 | 2012-04-03 | Trapeze Networks, Inc. | Smoothing filter for irregular update intervals |
US8565434B2 (en) * | 2008-05-27 | 2013-10-22 | Qualcomm Incorporated | Methods and systems for maintaining security keys for wireless communication |
US8474023B2 (en) | 2008-05-30 | 2013-06-25 | Juniper Networks, Inc. | Proactive credential caching |
AU2013200304B2 (en) * | 2008-06-23 | 2014-10-09 | Ntt Docomo, Inc. | Mobile communication method, mobile station and radio base station |
JP4384700B1 (en) * | 2008-06-23 | 2009-12-16 | 株式会社エヌ・ティ・ティ・ドコモ | Mobile communication method, mobile station and radio base station |
US8978105B2 (en) | 2008-07-25 | 2015-03-10 | Trapeze Networks, Inc. | Affirming network relationships and resource access via related networks |
US8238298B2 (en) | 2008-08-29 | 2012-08-07 | Trapeze Networks, Inc. | Picking an optimal channel for an access point in a wireless network |
JP4435254B1 (en) * | 2008-10-22 | 2010-03-17 | 株式会社エヌ・ティ・ティ・ドコモ | Mobile communication method and switching center |
US8386773B2 (en) * | 2008-12-09 | 2013-02-26 | Research In Motion Limited | Verification methods and apparatus for use in providing application services to mobile communication devices |
US8873752B1 (en) * | 2009-01-16 | 2014-10-28 | Sprint Communications Company L.P. | Distributed wireless device association with basestations |
KR20100097577A (en) * | 2009-02-26 | 2010-09-03 | 엘지전자 주식회사 | Method of negotiating security capabilities and managing traffic encryption key |
US9059979B2 (en) * | 2009-02-27 | 2015-06-16 | Blackberry Limited | Cookie verification methods and apparatus for use in providing application services to communication devices |
KR101655264B1 (en) | 2009-03-10 | 2016-09-07 | 삼성전자주식회사 | Method and system for authenticating in communication system |
US8452290B2 (en) | 2009-03-31 | 2013-05-28 | Broadcom Corporation | Communication session soft handover |
US20100329206A1 (en) * | 2009-06-30 | 2010-12-30 | Thome Timothy A | Dual idle-traffic state of wireless communication device |
US20110015940A1 (en) * | 2009-07-20 | 2011-01-20 | Nathan Goldfein | Electronic physician order sheet |
US8605904B2 (en) * | 2009-08-14 | 2013-12-10 | Industrial Technology Research Institute | Security method in wireless communication system having relay node |
JP5758925B2 (en) * | 2010-03-12 | 2015-08-05 | エルジー エレクトロニクス インコーポレイティド | Region changing method considering security coordination in broadband wireless access system and apparatus therefor |
KR101789623B1 (en) | 2010-03-12 | 2017-10-25 | 엘지전자 주식회사 | Method and Apparatus for Zone Switch-based handover considering Security Support in a Broadband Wireless Access System |
US8615241B2 (en) | 2010-04-09 | 2013-12-24 | Qualcomm Incorporated | Methods and apparatus for facilitating robust forward handover in long term evolution (LTE) communication systems |
US8542836B2 (en) | 2010-12-01 | 2013-09-24 | Juniper Networks, Inc. | System, apparatus and methods for highly scalable continuous roaming within a wireless network |
CN102065424A (en) * | 2011-01-11 | 2011-05-18 | 大唐移动通信设备有限公司 | Safe isolating method and equipment |
TWI486084B (en) * | 2011-06-24 | 2015-05-21 | Accton Technology Corp | Wireless connection point and wireless mobile device connection control method |
WO2013129865A1 (en) * | 2012-02-28 | 2013-09-06 | 엘지전자 주식회사 | Method and apparatus for communicating by using different types of carriers in radio communication system supporting carrier aggregation |
FR2992811A1 (en) * | 2012-07-02 | 2014-01-03 | France Telecom | ESTABLISHING A SECURITY ASSOCIATION WHEN ATTACHING A TERMINAL TO AN ACCESS NETWORK |
KR102141621B1 (en) * | 2013-11-05 | 2020-08-05 | 삼성전자주식회사 | Apparatus and method for re-establishing connection in mobile communication system |
US20150237554A1 (en) * | 2014-02-19 | 2015-08-20 | Qualcomm Incorporated | Systems, methods and apparatus for seamless handoff at the application layer between disparate networks for interactive applications |
WO2018229815A1 (en) * | 2017-06-12 | 2018-12-20 | Necディスプレイソリューションズ株式会社 | Communication device, communication system, communication method, and communication program |
CN113574932A (en) * | 2019-03-22 | 2021-10-29 | 索尼集团公司 | Communication control apparatus, communication control method, communication terminal, and communication method |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5237612A (en) * | 1991-03-29 | 1993-08-17 | Ericsson Ge Mobile Communications Inc. | Cellular verification and validation system |
US5204902A (en) * | 1991-09-13 | 1993-04-20 | At&T Bell Laboratories | Cellular telephony authentication arrangement |
JP3246969B2 (en) * | 1992-12-28 | 2002-01-15 | 日本電信電話株式会社 | Authentication method |
US5325419A (en) * | 1993-01-04 | 1994-06-28 | Ameritech Corporation | Wireless digital personal communications system having voice/data/image two-way calling and intercell hand-off |
JPH06351062A (en) * | 1993-06-10 | 1994-12-22 | Fujitsu Ltd | Privacy function continuation system at time of handover |
US5598459A (en) * | 1995-06-29 | 1997-01-28 | Ericsson Inc. | Authentication and handover methods and systems for radio personal communications |
US5778075A (en) | 1996-08-30 | 1998-07-07 | Telefonaktiebolaget, L.M. Ericsson | Methods and systems for mobile terminal assisted handover in an private radio communications network |
US6026293A (en) * | 1996-09-05 | 2000-02-15 | Ericsson Inc. | System for preventing electronic memory tampering |
US6665718B1 (en) * | 1997-10-14 | 2003-12-16 | Lucent Technologies Inc. | Mobility management system |
US6014085A (en) * | 1997-10-27 | 2000-01-11 | Lucent Technologies Inc. | Strengthening the authentication protocol |
NL1008351C2 (en) | 1998-02-19 | 1999-08-20 | No Wires Needed B V | Data communication network. |
US6370380B1 (en) | 1999-02-17 | 2002-04-09 | Telefonaktiebolaget Lm Ericsson (Publ) | Method for secure handover |
-
1999
- 1999-11-23 US US09/447,761 patent/US6587680B1/en not_active Expired - Lifetime
-
2000
- 2000-11-21 BR BRPI0015774-0A patent/BRPI0015774B1/en not_active IP Right Cessation
- 2000-11-21 CN CNB008185255A patent/CN1199510C/en not_active Expired - Lifetime
- 2000-11-21 AT AT00974719T patent/ATE492997T1/en not_active IP Right Cessation
- 2000-11-21 JP JP2001540557A patent/JP4639020B2/en not_active Expired - Lifetime
- 2000-11-21 ES ES00974719T patent/ES2354957T3/en not_active Expired - Lifetime
- 2000-11-21 DK DK00974719.7T patent/DK1232662T3/en active
- 2000-11-21 AU AU12933/01A patent/AU1293301A/en not_active Abandoned
- 2000-11-21 CA CA002391996A patent/CA2391996C/en not_active Expired - Lifetime
- 2000-11-21 WO PCT/IB2000/001713 patent/WO2001039538A1/en active IP Right Grant
- 2000-11-21 DE DE60045421T patent/DE60045421D1/en not_active Expired - Lifetime
- 2000-11-21 KR KR1020027006594A patent/KR100589761B1/en active IP Right Grant
- 2000-11-21 EP EP00974719A patent/EP1232662B1/en not_active Expired - Lifetime
-
2002
- 2002-05-21 ZA ZA200204037A patent/ZA200204037B/en unknown
Also Published As
Publication number | Publication date |
---|---|
WO2001039538A1 (en) | 2001-05-31 |
ZA200204037B (en) | 2003-08-21 |
BR0015774A (en) | 2002-08-13 |
BRPI0015774B1 (en) | 2015-06-16 |
EP1232662B1 (en) | 2010-12-22 |
JP4639020B2 (en) | 2011-02-23 |
DE60045421D1 (en) | 2011-02-03 |
CN1481651A (en) | 2004-03-10 |
KR100589761B1 (en) | 2006-06-15 |
AU1293301A (en) | 2001-06-04 |
KR20020065532A (en) | 2002-08-13 |
CA2391996A1 (en) | 2001-05-31 |
DK1232662T3 (en) | 2011-02-14 |
JP2003516000A (en) | 2003-05-07 |
ES2354957T3 (en) | 2011-03-21 |
ATE492997T1 (en) | 2011-01-15 |
CN1199510C (en) | 2005-04-27 |
US6587680B1 (en) | 2003-07-01 |
EP1232662A1 (en) | 2002-08-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2391996C (en) | Transfer of security association during a mobile terminal handover | |
CA2609715C (en) | Method, system and apparatus for load balancing of wireless switches to support layer 3 roaming in wireless local area networks (wlans) | |
US7929948B2 (en) | Method for fast roaming in a wireless network | |
EP1561331B1 (en) | A method for fast, secure 802.11 re-association without additional authentication, accounting, and authorization infrastructure | |
US8037305B2 (en) | Securing multiple links and paths in a wireless mesh network including rapid roaming | |
CA2605842C (en) | Method, system and apparatus for creating an active client list to support layer 3 roaming in wireless local area networks (wlans) | |
KR100448321B1 (en) | Method for hand-off in a wileless network | |
US20090135783A1 (en) | FMIPv6 Intergration with Wimax | |
US20070113275A1 (en) | IP security with seamless roaming and load balancing | |
US20080089305A1 (en) | System and method for broadband mobile access network | |
CA2605840A1 (en) | Method, system and apparatus for creating a mesh network of wireless switches to support layer 3 roaming in wireless local area networks (wlans) | |
CA2605833A1 (en) | Method, system and apparatus for layer 3 roaming in wireless local area networks (wlans) | |
EP2223494A1 (en) | Wireless lan mobility | |
CN112887921B (en) | Method and equipment for reducing packet loss during switching of WAPI CPE (wireless local area network interface) equipment between APs (access points) | |
Balažia et al. | Seamless handover in 802.11 networks | |
Herwono et al. | Performance improvement of Media point network using the inter access point protocol according to IEEE 802.11 f | |
Krichene et al. | 7 Handoff Management in WiMAX | |
Yang et al. | Seamless handover mechanism for fixed-mobile convergence service in BcN |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request | ||
MKEX | Expiry |
Effective date: 20201123 |